[squid-users] ***SPAM*** Re: Random SSL bump DB corruption
Amos Jeffries
squid3 at treenet.co.nz
Fri Apr 10 02:03:51 UTC 2015
On 10/04/2015 2:14 a.m., Stakres wrote:
> Yuri,
>
>
>
> We’re trying that :
>
> - Tproxy
>
> - ssl_bump bump all
>
> does not work.
>
>
>
> We have followed the squid wiki regarding iptables rules, sysctl, etc…
>
> Instead “ssl_bump bump all”, if we use “ssl_bump server-first all” , it works, the https is decrypted.
>
>
>
> So is the tproxy compatible with the new squid 3.5.x ssl_bump options ?
With intercept / tproxy you may need to peek first to get the
ClientHello details. Those are needed not just for any ssl_bump
directive ACLs, but also for generating the correct ClientHello to be
delivered to the server. Without it Squid only has the raw-IP details
from TCP to work with.
Amos
More information about the squid-users
mailing list