[squid-users] Microsoft store issues with ssl-bump
Eliezer Croitoru
ngtech1ltd at gmail.com
Tue Jan 12 15:46:44 UTC 2021
Alex,
I am using the next stare rule:
acl tls_s1_connect at_step SslBump1
acl tls_s2_client_hello at_step SslBump2
acl tls_s3_server_hello at_step SslBump3
ssl_bump stare tls_s2_client_hello
Which I am not sure about.
For now this issue seems to be gone.
I don't know why or how but it seems that some IP rotation is happening as we speak/write.
The IP address my service was accessing is different then the one now so I think what Amos
wrote is probably the real reason, ie that the service certificate was for another service CN/DNS Name.
While it's ok for the windows client it's not OK for Squid and any other SNI based certificate validator.
Thanks Helped and Helps,
Eliezer
----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com
Zoom: Coming soon
-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Alex Rousskov
Sent: Tuesday, January 12, 2021 5:15 PM
To: Squid Users <squid-users at lists.squid-cache.org>
Subject: Re: [squid-users] Microsoft store issues with ssl-bump
On 1/12/21 7:42 AM, Amos Jeffries wrote:
> IIRC latest Squid force the client to TLS/1.2 when
> preparing to bump, but may not for spliceand stare. So YMMV.
FTR: Bugs notwithstanding, modern Squid changes nothing on TLS level
when peeking, splicing, and/or terminating. Squid changes TLS bytes when
staring and/or bumping.
Alex.
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list