[squid-users] Microsoft store issues with ssl-bump
Amos Jeffries
squid3 at treenet.co.nz
Tue Jan 12 12:42:16 UTC 2021
On 12/01/21 11:32 pm, NgTech LTD wrote:
> Im saying that my config might be wrong and I will send you a full
> config save which can show you the whole setup like most vendors has.
> I have upgraded squid in production.
>
> Let me verify first before shouting "bug".
>
> Eliezer
>
Okay. I see a few things to follow up on.
The other proxy logs show SNI as being
"https://storeedgefd.dsx.mp.microsoft.com:443". SNI should be only a
name, not a full URL. So if we assume that log is correct the client is
producing invalid SNI. This may be an issue for Squid, causing it to
ignore the SNI value entirely.
The openssl tool connecting to the same IP address the other proxy
claims to be going to gets "sfdataservice.microsoft.com" as the server
name. In absence of valid SNI to work with that is the name your Squid
will be trying to match against to decide splice vs bump.
The server prefers to use TLS/1.3 unless explicitly connected to with
TLS/1.2 immediately. IIRC latest Squid force the client to TLS/1.2 when
preparing to bump, but may not for spliceand stare. So YMMV.
Amos
More information about the squid-users
mailing list