<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none"><!-- p { margin-top: 0px; margin-bottom: 0px; }--></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>Hello Daniel, Yuri<br>
</p>
<p><br>
</p>
<p>May be you could dump your whole squid.conf here (please remove any sensitive details).<br>
</p>
<p>I still cannot understand once Squid has the target server hostname from SNI - where is the acl/rule in squid.conf that can be used with this info present?<br>
</p>
<p><br>
</p>
<p>Best regards,<br>
</p>
<p>Rafael<br>
</p>
<p><br>
</p>
<div style="color: rgb(33, 33, 33);">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> squid-users <squid-users-bounces@lists.squid-cache.org> on behalf of Daniel Greenwald <dig@digcorp.net><br>
<b>Sent:</b> Monday, January 26, 2015 5:39 AM<br>
<b>To:</b> Yuri Voinov<br>
<b>Cc:</b> squid-users@lists.squid-cache.org<br>
<b>Subject:</b> Re: [squid-users] Why 3.5.0.4 generates mimicked certs with server IP only when bumping?</font>
<div> </div>
</div>
<div>
<div dir="ltr">
<div>
<div>Thank you Amos,<br>
</div>
Based on your explanation I was able to make bumping work for transparent with no browser errors in 3.5.1 by using the following. If I understand correctly, this is actually whats required to mimic the behavior of pre 3.5 (sslbump server-first all) :<br>
<br>
acl step1 at_step SslBump1<br>
acl step2 at_step SslBump2<br>
ssl_bump peek step1 all<br>
ssl_bump server-first step2 all<br>
<br>
</div>
Hope that helps Yuri or any one else with this issue. <br>
<br>
PS So far this is working great for eg <a href="http://gmail.com">gmail.com</a> which in previous version would throw browser errors!<br>
</div>
<br clear="all">
<div>
<div class="gmail_signature">-----------<br>
Daniel I Greenwald<br>
<br>
<br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Jan 9, 2015 at 2:51 PM, Yuri Voinov <span dir="ltr">
<<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
<span class=""><br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
</span>How can that be?<br>
<br>
All HSTS sites cry with 3.5 bump option - they don't like host IP as CN,<br>
other sites behaviour depending they (and browsers) settings.<br>
<br>
Is it possible to keep server-first behaviour in 3.5.x ?<br>
<span class=""><br>
WBR, Yuri<br>
<br>
09.01.2015 16:57, Amos Jeffries пишет:<br>
</span><span class="">> On 9/01/2015 11:45 p.m., Yuri Voinov wrote:<br>
><br>
> > I have working production 3.4.10 with working ssl bumping.<br>
><br>
> > Config was the same as working 3.4.10. I've just want to take a<br>
> > look on new release.<br>
><br>
> > in squid.documented said, than backward compatibility server-first<br>
> > and none options for ssl_bump are kept.<br>
><br>
> > But:<br>
><br>
> > Neither works with old syntax, nor new.<br>
><br>
> > Looks like target https hosts not resolved and bump got only IP.<br>
><br>
> The config values are still accepted, but there is an extra bumping<br>
> stage now before the SNI is available.<br>
><br>
> You are wanting to peek at stage 1 (to get the client SNI details) and<br>
> server-first/splice at stage 2 (using the domain). Otherwise All Squid<br>
> works with when intercepting are the TCP IPs.<br>
><br>
> Amos<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2<br>
<br>
</span>iQEcBAEBAgAGBQJUsDE9AAoJENNXIZxhPexGl+MH/2wEV5rEDSb6eQ5KRbHI8ZJ4<br>
WV0fdTg7yFR+bfWCUYzjVovQhrx0gaIFLNWvuwDbc62zJJnvADQuAzu7chouafkP<br>
wpGuBjjp3jYZWa1TlZN4XoDeK2THswXau/5kY9P7IKKAJu9VjhjII803ywn5C8DW<br>
48NQWU0Uhs86Tr6XAuaRzUYZK6lht0VcJFKiftmKmOE7Rl7+Yy/Kak1zXxLh8mzX<br>
a8N0DSsSlBqIm7s8yngwWQuf8rQ0tlwrKWNSpCL3xD6Wk0MFwhRqe6Vbncj4sbff<br>
p0OifMf0YD5sbytsUq4OO5HOdO7WPu+foB2AMKSiou5cDMqz5Vcnw0mD35t25Fg=<br>
=OEZu<br>
<div class="HOEnZb">
<div class="h5">-----END PGP SIGNATURE-----<br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</body>
</html>