<html><head></head><body bgcolor="#ffffff" text="#4c4c4c" link="#8793c1" vlink="#8793c1"><div>On Sun, 2017-11-26 at 01:33 +1300, Amos Jeffries wrote:</div><blockquote type="cite"><pre>On 26/11/17 00:52, James Lay wrote:
<blockquote type="cite">
On Sat, 2017-11-25 at 23:48 +1300, Amos Jeffries wrote:
<blockquote type="cite">
On 25/11/17 08:30, James Lay wrote:
<blockquote type="cite">
Topic says it...this setup has been working well for a long time, but
now there are some sites that are failing the TLS handshake. Here's
my setup: acl localnet src 192.168.1.0/24 acl SSL_ports port 443 acl
Safe_ports port 80 acl Safe_ports port 443 acl CONNECT method CONNECT
acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt"
http_access deny !Safe_ports http_access deny CONNECT !SSL_Ports
http_access allow SSL_ports http_access allow allowed_http_sites
http_access deny all ssl_bump peek all acl allowed_https_sites
ssl::server_name_regex "/opt/etc/squid/http_url.txt" ssl_bump splice
allowed_https_sites ssl_bump terminate all
</blockquote>
Because you have "peek all" being performed the transaction MUST pass
your regex patterns with both TLS SNI from the client *and* the server
certificate SubjectName values. Either one not matching will perform
that "terminate all" on the TLS handshake.
</blockquote>
Thanks Amos...do you have a suggestion for changing this to match one or
the other instead of both?
</blockquote>
Doing the splice check before the peek should do that. First one of the
server_names data sources to match will then splice and non-matches fall
through to either peek or terminate if no more peeking possible.
Amos
</pre></blockquote><div><br></div><div>Perfect..I've modded my lines with:</div><div><br></div><div><font face="monospace">acl broken_https_sites ssl::server_name_regex "/opt/etc/squid/broken_url.txt"</font></div><div><font face="monospace">ssl_bump splice broken_https_sites</font></div><div><font face="monospace">ssl_bump peek all</font></div><div><font face="monospace">acl allowed_https_sites ssl::server_name_regex "/opt/etc/squid/http_url.txt"</font></div><div><font face="monospace">ssl_bump splice allowed_https_sites</font></div><div><font face="monospace">ssl_bump terminate all</font></div><div><font face="monospace"><br></font></div><div><font face="monospace"></font>Hopefully that fixes these up. Another site besides the the one this thread is fbcdn.net. Again, these DID work, but something within the last month has changed...guessing Facebook and Elder Scrolls Online have added additional TLS security. Thanks as always Amos.<font face="monospace"><br></font></div><div><br></div><div>James</div></body></html>