<html><head></head><body bgcolor="#ffffff" text="#4c4c4c" link="#8793c1" vlink="#8793c1"><div>On Sun, 2017-11-26 at 09:50 +0200, Alex K wrote:</div><blockquote type="cite"><div dir="auto">Perhaps an alternative is to peek only on step1:<div dir="auto"><br></div><div dir="auto">acl step1 at_step SslBump1</div><div dir="auto"><br><div dir="auto"><div style="font-family:sans-serif;font-size:13.696px" dir="auto"><font face="monospace">ssl_bump peek step1</font></div><div style="font-family:sans-serif;font-size:13.696px" dir="auto"><font face="monospace">acl allowed_https_sites ssl::server_name_regex "/opt/etc/squid/http_url.txt"</font></div><div style="font-family:sans-serif;font-size:13.696px" dir="auto"><font face="monospace">ssl_bump splice allowed_https_sites</font></div><div style="font-family:sans-serif;font-size:13.696px" dir="auto"><font face="monospace">ssl_bump terminate all</font></div></div></div></div></blockquote><div><br></div><div>Hrmm...wouldn't that negate the ability to read the cert on step2?</div><div><br></div><div>In layman's terms I'm thinking:</div><div>"peek at step1"</div><div>"splice acl allow matched sni's"</div><div>"peek at step2"</div><div>"splice acl allow'd matched certs"</div><div>"terminate the rest"</div><div><br></div><div>Would that work Amos?</div><div><br></div><blockquote type="cite"><div class="gmail_extra"><br><div class="gmail_quote">On Nov 25, 2017 14:46,</div></div></blockquote><blockquote type="cite"><div class="gmail_extra"><div class="gmail_quote"> "James Lay" <<a href="mailto:jlay@slave-tothe-box.net">jlay@slave-tothe-box.net</a>> wrote:<br type="attribution"><blockquote type="cite"><div bgcolor="#ffffff" text="#4c4c4c" link="#8793c1" vlink="#8793c1"><div>On Sun, 2017-11-26 at 01:33 +1300, Amos Jeffries wrote:</div><blockquote type="cite"><pre>On 26/11/17 00:52, James Lay wrote:
<blockquote type="cite">
On Sat, 2017-11-25 at 23:48 +1300, Amos Jeffries wrote:
<blockquote type="cite">
On 25/11/17 08:30, James Lay wrote:
<blockquote type="cite">
Topic says it...this setup has been working well for a long time, but
now there are some sites that are failing the TLS handshake. Here's
my setup: acl localnet src <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a> acl SSL_ports port 443 acl
Safe_ports port 80 acl Safe_ports port 443 acl CONNECT method CONNECT
acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt"
http_access deny !Safe_ports http_access deny CONNECT !SSL_Ports
http_access allow SSL_ports http_access allow allowed_http_sites
http_access deny all ssl_bump peek all acl allowed_https_sites
ssl::server_name_regex "/opt/etc/squid/http_url.txt" ssl_bump splice
allowed_https_sites ssl_bump terminate all
</blockquote>
Because you have "peek all" being performed the transaction MUST pass
your regex patterns with both TLS SNI from the client *and* the server
certificate SubjectName values. Either one not matching will perform
that "terminate all" on the TLS handshake.
</blockquote>
Thanks Amos...do you have a suggestion for changing this to match one or
the other instead of both?
</blockquote>
Doing the splice check before the peek should do that. First one of the
server_names data sources to match will then splice and non-matches fall
through to either peek or terminate if no more peeking possible.
Amos
</pre></blockquote><div><br></div><div>Perfect..I've modded my lines with:</div><div><br></div><div><font face="monospace">acl broken_https_sites ssl::server_name_regex "/opt/etc/squid/broken_url.<wbr>txt"</font></div><div><font face="monospace">ssl_bump splice broken_https_sites</font></div><div><font face="monospace">ssl_bump peek all</font></div><div><font face="monospace">acl allowed_https_sites ssl::server_name_regex "/opt/etc/squid/http_url.txt"</font></div><div><font face="monospace">ssl_bump splice allowed_https_sites</font></div><div><font face="monospace">ssl_bump terminate all</font></div><div><font face="monospace"><br></font></div><div><font face="monospace"></font>Hopefully that fixes these up. Another site besides the the one this thread is <a href="http://fbcdn.net" target="_blank">fbcdn.net</a>. Again, these DID work, but something within the last month has changed...guessing Facebook and Elder Scrolls Online have added additional TLS security. Thanks as always Amos.<font face="monospace"><br></font></div><div><br></div><div>James</div></div><br>______________________________<wbr>_________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.<wbr>org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/<wbr>listinfo/squid-users</a><br>
<br></blockquote></div></div>
</blockquote></body></html>