[squid-users] Peeking on TLS traffic: unknown cipher returned
Jason Haar
jason_haar at trimble.com
Thu Oct 20 04:12:08 UTC 2016
On Thu, Oct 20, 2016 at 5:01 PM, Alex Rousskov <
rousskov at measurement-factory.com> wrote:
> Please note that "peek and make a decision based on SNI" is not what
> your configuration tells Squid to do.
>
This is a complex situation for most people (myself included), can you tell
us how to "peek and make a decision based on SNI"?
I'm probably like the original poster in that I simply want to be able to
do transparent proxy of TCP/443 so as to better log HTTPS transactions. I
wouldn't even bother with the "terminate" bit - if I wanted to blacklist
some HTTPS sites, I'd rather rely on the normal non-bumping ACLs, the
SNI-learnt domain names - and "deny" - I don't care if a cleartext blob is
sent through to a client who thinks it's TLS - it will break and that's all
that matters. Anything better *requires* full MiTM which I want to avoid as
I believe it has no future due to pinning.
Off to upgrade to 3.5.22 :-)
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161020/50f9dd22/attachment.html>
More information about the squid-users
mailing list