[squid-users] Splice certain SNIs which served by the same IP

Tue Feb 22 12:05:22 UTC 2022

By the help of God.

If I'm using the self signed certificate that I created for the ssl bump,
then the browser considers it as the same certificate for any domain I'm
connecting to?

‫בתאריך יום ג׳, 22 בפבר׳ 2022 ב-7:35 מאת ‪Eliezer Croitoru‬‏ <‪
ngtech1ltd at gmail.com‬‏>:‬

> Thanks Christos,
>
> I was aware of such things but haven't seen such a case.
> Is there any way to "reproduce" this?
> I believe it should be documented in the wiki.
>
> Thanks,
>
> ----
> Eliezer Croitoru
> NgTech, Tech Support
> Mobile: +972-5-28704261
> Email: ngtech1ltd at gmail.com
>
> -----Original Message-----
> From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf
> Of Christos Tsantilas
> Sent: Monday, February 21, 2022 11:41
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Splice certain SNIs which served by the same IP
>
> Hi Ben,
>
> When HTTP/2 is used, requests for two different domains may served using
> the same TLS connection if both domains are served from the same remote
> server and use the same TLS certificate.
> There is a description here:
>     https://daniel.haxx.se/blog/2016/08/18/http2-connection-coalescing/
>
> And a similar problem report here:
>     https://bugs.chromium.org/p/chromium/issues/detail?id=1176673
>
> Regards,
>     Christos
>
>
> On 14/2/22 3:49 μ.μ., Ben Goz wrote:
> > By the help of God.
> >
> > Hi,
> > Ny squid version is 4.15, using it on tproxy configuration.
> >
> > I'm using ssl bump to intercept https connection, but I want to splice
> > several domains.
> > I have a problem that when I'm splicing some google domains eg.
> > youtube.com <http://youtube.com> then
> > gmail.com <http://gmail.com> domain also spliced.
> >
> > I know that it is very common for google servers to host multiple
> > domains on single server.
> > And I suspect that when I'm splicing for example youtube.com
> > <http://youtube.com> it'll also splices google.com <http://google.com>.
> >
> >   Here are my squid configurations for the ssl bump:
> >
> > https_port xxxx ssl-bump tproxy generate-host-certificates=on
> > options=ALL dynamic_cert_mem_cache_size=4MB
> > cert=/usr/local/squid/etc/ssl_cert/myCA.pem
> > dhparams=/usr/local/squid/etc/dhparam.pem sslflags=NO_DEFAULT_CA
> >
> > acl DiscoverSNIHost at_step SslBump1
> >
> > acl NoSSLIntercept ssl::server_name  "/usr/local/squid/etc/url-no-bump"
> > acl NoSSLInterceptRegexp ssl::server_name_regex -i
> > "/usr/local/squid/etc/url-no-bump-regexp"
> > ssl_bump splice NoSSLInterceptRegexp_always
> > ssl_bump splice NoSSLIntercept
> > ssl_bump splice NoSSLInterceptRegexp
> > ssl_bump peek DiscoverSNIHost
> > ssl_bump bump all
> >
> >
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20220222/7a882a2e/attachment.htm>