<HTML><BODY>Hello!<br><br>Can you help me with correct settings for squid to use skype ?<br><br><br>My current config.<br><br><p># squid -v<br>Squid Cache: Version 3.5.20<br>Service Name: squid<br>configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--verbose' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam,fake' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,LDAP_group,delayer,file_userip,SQL_session,unix_group,session,time_quota' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi' '--enable-ssl-crtd' '--enable-icmp' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' '--with-included-ltdl' '--disable-arch-native' '--enable-ecap' '--without-nettle' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' --enable-ltdl-convenience</p><p>#cat squid.conf<br>http_port 3128 options=NO_SSLv3:NO_SSLv2<br>http_port 192.168.10.240:3125 intercept options=NO_SSLv3:NO_SSLv2<br>https_port 192.168.10.240:3126 intercept ssl-bump options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off cert=/opt/squid_certs/squid.pem key=/opt/squid_certs/squid.pem dhparams=/opt/squid_certs/dhparam.pem cipher=HIGH:MEDIUM:RC4:3DES:</p><p>always_direct allow all<br>sslproxy_cert_error allow all<br>sslproxy_flags DONT_VERIFY_PEER</p><p>sslproxy_cafile /etc/pki/tls/certs/ca-bundle.crt<br>sslproxy_cipher HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS</p><p>acl DiscoverSNIHost at_step SslBump1<br>acl NoSSLIntercept ssl::server_name_regex -i "/etc/squid/lists/url.nobump"<br>ssl_bump peek DiscoverSNIHost<br>ssl_bump splice NoSSLIntercept<br>ssl_bump bump all<br><br>#cat /etc/squid/lists/url.nobump<br>microsoft\.com<br>update\.microsoft\.com<br>update\.microsoft\.com\.akadns\.net<br>mobile\.pipe\.aria\.microsoft\.com<br>prd\.col\.aria.mobile\.skypedata\.akadns\.net<br>pipe\.skype\.com<br>pipe\.prd\.skypedata\.akadns\.net<br>api\.asm\.skype\.com<br>apps\.skype\.com<br>wildcard\.skype\.com\.edgekey\.net<br>e4593\.g\.akamaiedge\.net<br>\.skype\.com<br>\.skypeassets\.com<br>etag\.prod\.registrar\.skype\.com<br>prod\.registrar\.skype\.com<br>go\.trouter\.io</p><p>With this setup I have problem with group chats, calls and attachments in messages.<br>Attachments sended, but not delivered to respondent.<br>Unable to create group chats and if it created, what respondents do not see the chat or can not make calls.<br>I tried add IP regexp to access list, but after that all https traffic was spliced.<br>Skype work well when I change ssl_bump bump all to ssl_bump splice all<br>How can I exclude skype from SSL bumping ?</p><br>Thank you.<br><br>-- <br>Evgeniy Kononov</BODY></HTML>