[squid-users] Trying to set up SSL cache
Dave Blanchard
dave at killthe.net
Fri Feb 25 19:15:44 UTC 2022
On Sat, 26 Feb 2022 00:16:30 +1300
Amos Jeffries <squid3 at treenet.co.nz> wrote:
> [...]
>
> There are a few things to be aware of while troubleshooting:
>
> * not all TLS connections can be bump'ed. TLS is designed to prevent
> exactly the type of decrypt that bump does. If the client and server are
> using TLS properly bump *will* fail.
>
>
> * Google are known to be rather pedantic about security. So having their
> software at either end of the TLS when testing is more likely to hit
> such non-decryptable TLS connections.
>
>
> * Checking the test web service for TLS certificate pinning or DANE.
> Both of these lock the/some client into using the original server
> certificate and they will unavoidably reject the Squid signing CA.
>
> * Check traffic from the web server for HTTPS-Transport-Security or
> Alt-Svc HTTP headers. Both of these can break SSL-Bump if they reach a
> client. What is worse they can force arbitrarily long cache times for
> the info they contain, causing breakage to extend across the whole
> period. Only a full client purge of state and never receiving the info
> again can via any protocol fix these.
>
>
> Amos
Hi Amos, this is very useful info; thank you. I've just added in some rules to drop the HSTS and Alt-Svc headers to avoid this trouble. Thanks for explaining step by step how these bump rules affect the proxy behavior.
--
Dave Blanchard <dave at killthe.net>
More information about the squid-users
mailing list