[squid-users] Squid 4.x acl server_cert_fingerprint for bump no matches
David Touzeau
david at articatech.com
Fri May 15 07:28:56 UTC 2020
Thanks alex, made this one on squid 4.10
acl TestFinger server_cert_fingerprint
77:F6:8D:C1:0A:DF:94:8B:43:1F:8E:0E:91:5E:0C:32:42:8B:99:C9
acl ssl_step1 at_step SslBump1
acl ssl_step2 at_step SslBump2
acl ssl_step3 at_step SslBump3
ssl_bump peek ssl_step2
ssl_bump splice ssl_step3 TestFinger
ssl_bump stare ssl_step2 all
ssl_bump bump all
But no luck, website still decrypted.
Le 13/05/2020 à 21:33, Alex Rousskov a écrit :
> On 5/12/20 7:42 AM, David Touzeau wrote:
>> ssl_bump peek ssl_step1
>> ssl_bump splice TestFinger
>> ssl_bump stare ssl_step2 all
>> ssl_bump bump all
>> Seems TestFinger Acls did not matches in any case
> You are trying to use step3 information (i.e., the server certificate)
> during SslBump step2: The "splice TestFinger" line is tested during
> step2 and mismatches because the server certificate is still unknown
> during that step. That mismatch results in Squid staring during step2.
> The "splice TestFinger" line is not tested during step3 because splicing
> is not possible after staring. Thus, Squid reaches "bump all" and bumps.
>
> For a detailed description of what happens (and what information is
> available) during each SslBump step, please see
> https://wiki.squid-cache.org/Features/SslPeekAndSplice
>
> Also, if you are running v4.9 or earlier, please upgrade. We fixed one
> server_cert_fingerprint bug, and that fix became a part of the v4.10
> release (commit e0eca4c).
>
>
> HTH,
>
> Alex.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200515/df713817/attachment.html>
More information about the squid-users
mailing list