<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
-----BEGIN PGP SIGNED MESSAGE----- <br>
Hash: SHA1 <br>
<br>
I'm not about it.<br>
<br>
server-first keyword deprecated in 3.5.x.<br>
<br>
AFAIK, keywork "bump" now has yet another meaningful.<br>
<br>
And also: in your example can only use acl "all". Any other ACL's
leading "Bungled config line" error.<br>
<br>
I.e, for example,<br>
<br>
acl net_bump acl net_bump src 192.168.101.0/24<br>
ssl_bump peek step1 net_bump<br>
ssl_bump server-first step2 net_bump<br>
<br>
breaks configuration.<br>
<br>
26.01.2015 22:14, Daniel Greenwald пишет:<br>
<span style="white-space: pre;">> call it what you want, it works
:)<br>
><br>
> -----------<br>
> Daniel I Greenwald<br>
><br>
><br>
><br>
> On Mon, Jan 26, 2015 at 10:51 AM, Yuri Voinov
<<a class="moz-txt-link-abbreviated" href="mailto:yvoinov@gmail.com">yvoinov@gmail.com</a> <a class="moz-txt-link-rfc2396E" href="mailto:yvoinov@gmail.com"><mailto:yvoinov@gmail.com></a>> wrote:<br>
><br>
><br>
> Daniel,<br>
><br>
> well,<br>
><br>
> but AFAIK server-first directive is deprecated in 3.5.x.<br>
><br>
> Hmmmmmm?<br>
><br>
> 26.01.2015 19:37, Daniel Greenwald пишет:<br>
> > See below. Nothing else too interesting. Those four
lines were the key.<br>
><br>
> > http_port 3128<br>
> > http_port 3180 intercept<br>
> > https_port 3443 intercept ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
cert=/usr/local/squid/ssl_cert/myCA.pem<br>
> > sslcrtd_program /usr/lib64/squid/ssl_crtd -s
/usr/local/squid/var/lib/ssl_db -M 16MB<br>
> > sslcrtd_children 10<br>
> > logformat dig %{%Y-%m-%d %H:%M:%S}tl %6tr %>a
%Ss/%03>Hs %<st %rm %ru %un %Sh/%<A "%{User-Agent}>h"<br>
> > logfile_rotate 10<br>
> > access_log /var/log/squid/access.log dig<br>
> > pinger_enable off<br>
><br>
> > acl step1 at_step SslBump1<br>
> > acl step2 at_step SslBump2<br>
> > ssl_bump peek step1 all<br>
> > ssl_bump server-first step2 all<br>
><br>
> > acl SSL_ports port 443<br>
> > acl Safe_ports port 80 443<br>
> > acl CONNECT method CONNECT<br>
> > http_access deny !Safe_ports<br>
> > http_access deny CONNECT !SSL_ports<br>
><br>
> > http_access allow localhost manager<br>
> > http_access deny manager<br>
> > http_access deny to_localhost<br>
><br>
> > http_access allow all<br>
> > http_access deny all<br>
><br>
> > # Uncomment and adjust the following to add a disk cache
directory.<br>
> > #cache_dir ufs /var/spool/squid 100 16 256<br>
><br>
> > # Leave coredumps in the first cache dir<br>
> > coredump_dir /var/spool/squid<br>
><br>
> > #<br>
> > # Add any of your own refresh_pattern entries above
these.<br>
> > #<br>
> > refresh_pattern ^ftp: 1440 20% 10080<br>
> > refresh_pattern ^gopher: 1440 0% 1440<br>
> > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br>
> > refresh_pattern . 0 20% 4320<br>
><br>
><br>
><br>
><br>
><br>
> > -----------<br>
> > Daniel I Greenwald<br>
><br>
><br>
><br>
> > On Mon, Jan 26, 2015 at 3:28 AM, Rafael Akchurin
<<a class="moz-txt-link-abbreviated" href="mailto:rafael.akchurin@diladele.com">rafael.akchurin@diladele.com</a>
<a class="moz-txt-link-rfc2396E" href="mailto:rafael.akchurin@diladele.com"><mailto:rafael.akchurin@diladele.com></a>
<a class="moz-txt-link-rfc2396E" href="mailto:rafael.akchurin@diladele.com"><mailto:rafael.akchurin@diladele.com></a>
<a class="moz-txt-link-rfc2396E" href="mailto:rafael.akchurin@diladele.com"><mailto:rafael.akchurin@diladele.com></a>> wrote:<br>
><br>
> > Hello Daniel, Yuri<br>
><br>
><br>
> > May be you could dump your whole squid.conf here
(please remove any sensitive details).<br>
><br>
> > I still cannot understand once Squid has the target
server hostname from SNI - where is the acl/rule in squid.conf
that can be used with this info present?<br>
><br>
><br>
> > Best regards,<br>
><br>
> > Rafael<br>
><br>
><br>
> > -------------------------<br>
> > *From:* squid-users
<<a class="moz-txt-link-abbreviated" href="mailto:squid-users-bounces@lists.squid-cache.org">squid-users-bounces@lists.squid-cache.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users-bounces@lists.squid-cache.org"><mailto:squid-users-bounces@lists.squid-cache.org></a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users-bounces@lists.squid-cache.org"><mailto:squid-users-bounces@lists.squid-cache.org></a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users-bounces@lists.squid-cache.org"><mailto:squid-users-bounces@lists.squid-cache.org></a>> on
behalf of Daniel Greenwald <<a class="moz-txt-link-abbreviated" href="mailto:dig@digcorp.net">dig@digcorp.net</a>
<a class="moz-txt-link-rfc2396E" href="mailto:dig@digcorp.net"><mailto:dig@digcorp.net></a> <a class="moz-txt-link-rfc2396E" href="mailto:dig@digcorp.net"><mailto:dig@digcorp.net></a>
<a class="moz-txt-link-rfc2396E" href="mailto:dig@digcorp.net"><mailto:dig@digcorp.net></a>><br>
> > *Sent:* Monday, January 26, 2015 5:39 AM<br>
> > *To:* Yuri Voinov<br>
> > *Cc:* <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a><br>
> > *Subject:* Re: [squid-users] Why 3.5.0.4 generates
mimicked certs with server IP only when bumping?<br>
><br>
> > Thank you Amos,<br>
> > Based on your explanation I was able to make bumping
work for transparent with no browser errors in 3.5.1 by using the
following. If I understand correctly, this is actually whats
required to mimic the behavior of pre 3.5 (sslbump server-first
all) :<br>
><br>
> > acl step1 at_step SslBump1<br>
> > acl step2 at_step SslBump2<br>
> > ssl_bump peek step1 all<br>
> > ssl_bump server-first step2 all<br>
><br>
> > Hope that helps Yuri or any one else with this
issue.<br>
><br>
> > PS So far this is working great for eg gmail.com
<a class="moz-txt-link-rfc2396E" href="http://gmail.com"><http://gmail.com></a> <a class="moz-txt-link-rfc2396E" href="http://gmail.com"><http://gmail.com></a>
<a class="moz-txt-link-rfc2396E" href="http://gmail.com"><http://gmail.com></a> which in previous version would throw
browser errors!<br>
><br>
> > -----------<br>
> > Daniel I Greenwald<br>
><br>
><br>
><br>
> > On Fri, Jan 9, 2015 at 2:51 PM, Yuri Voinov
<<a class="moz-txt-link-abbreviated" href="mailto:yvoinov@gmail.com">yvoinov@gmail.com</a> <a class="moz-txt-link-rfc2396E" href="mailto:yvoinov@gmail.com"><mailto:yvoinov@gmail.com></a>
<a class="moz-txt-link-rfc2396E" href="mailto:yvoinov@gmail.com"><mailto:yvoinov@gmail.com></a>
<a class="moz-txt-link-rfc2396E" href="mailto:yvoinov@gmail.com"><mailto:yvoinov@gmail.com></a>> wrote:<br>
><br>
><br>
> > How can that be?<br>
><br>
> > All HSTS sites cry with 3.5 bump option - they don't
like host IP as CN,<br>
> > other sites behaviour depending they (and browsers)
settings.<br>
><br>
> > Is it possible to keep server-first behaviour in 3.5.x ?<br>
><br>
> > WBR, Yuri<br>
><br>
> > 09.01.2015 16:57, Amos Jeffries пишет:<br>
> > > On 9/01/2015 11:45 p.m., Yuri Voinov wrote:<br>
><br>
> > > > I have working production 3.4.10 with working
ssl bumping.<br>
><br>
> > > > Config was the same as working 3.4.10. I've
just want to take a<br>
> > > > look on new release.<br>
><br>
> > > > in squid.documented said, than backward
compatibility server-first<br>
> > > > and none options for ssl_bump are kept.<br>
><br>
> > > > But:<br>
><br>
> > > > Neither works with old syntax, nor new.<br>
><br>
> > > > Looks like target https hosts not resolved and
bump got only IP.<br>
><br>
> > > The config values are still accepted, but there is
an extra bumping<br>
> > > stage now before the SNI is available.<br>
><br>
> > > You are wanting to peek at stage 1 (to get the
client SNI details) and<br>
> > > server-first/splice at stage 2 (using the domain).
Otherwise All Squid<br>
> > > works with when intercepting are the TCP IPs.<br>
><br>
> > > Amos<br>
><br>
> > _______________________________________________<br>
> > squid-users mailing list<br>
> > <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a><br>
> >
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><br>
><br>
><br>
><br>
><br>
><br>
></span><br>
<br>
-----BEGIN PGP SIGNATURE-----
<br>
Version: GnuPG v2
<br>
<br>
iQEcBAEBAgAGBQJUxm0+AAoJENNXIZxhPexGmocH/A/s1Ly6roeR2bjqQ38qVKpK
<br>
tg77sdsdA+nreX1xJZR1MXqEtBsVpHB/StesAKz5Qnxs9pD2oqtE7HtNVfzJ+1+J
<br>
uGjtAUZxXS1A128nTDdg3LlSI+AhRaR6RFzaAkk8U75cG4osphvOx5ksns0OznkF
<br>
bY7dFZN6veFhKf73S+2DDQ30WLBppmJPUicBTfJ5+kqCs5z66WHikUiDUE2rb9yu
<br>
Rr9P+YdHONFNnhT1f4YXbpDLS4uV9E83rR60nM88ygIg2J5VzdOmlxRoDpGA6Ko8
<br>
TsQJ9FQjfvmUrv5+60sYxoLxdGTIUCAPaeW03ybj/hLos9Mgph/4aWTgKcmG238=
<br>
=/uNz
<br>
-----END PGP SIGNATURE-----
<br>
<br>
</body>
</html>