[squid-users] Microsoft store issues with ssl-bump
Lorenzo Marcantonio
l.marcantonio at proxind.it
Tue Jan 12 08:57:44 UTC 2021
On Tue, Jan 12, 2021 at 10:33:00AM +0200, Eliezer Croitoru wrote:
>
> Any hints might help to find and resolve this issue
From my experience MS Update and probably the store too use custom root
certificates; check if that's the case. It's also possible that that
connection is so hardwired that it doesn't accept a redirect. So it sees
that and become suspicious (Windows Update is extremely suspicious :D)
For some antivirus (avast maybe? I don't remember) the updater actually
checks the server certificate fingerprint so you can't bump it and you
need a special NAT rule for all the fscking IPs it uses (if you set a
proxy it does a connect BY IP and not by name, and the IPs are hardcoded
and not resolved by DNS).
So it is possible you can't bump a store connection (remember that
technically a bump is a MITM intrusion that TLS is explicitely design to
detect!)
--
Lorenzo Marcantonio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210112/b8031d33/attachment.sig>
More information about the squid-users
mailing list