[squid-users] Strange behaviour with Chrome (client OS = WinXP x64) ...

Walter H. Walter.H at mathemainzel.info
Sun Feb 1 19:26:32 UTC 2015


On 01.02.2015 19:50, Yuri Voinov wrote:
> 02.02.2015 0:46, Amos Jeffries пишет:
>> On 2/02/2015 7:16 a.m., Yuri Voinov wrote:
>>> 01.02.2015 23:48, Walter H. пишет:
>>>> Hello,
>> <snip>
>>>> acl ssl_bump_domains_bankingsites dstdomain banking.raiffeisen.at
>>> banking.ing-diba.at ebanking.easybank.at services.kepler.at
>>> www.kepler.at www.rcb.at
>>>> acl ssl_bump_domains_msftupdates dstdomain .update.microsoft.com
>>>> ssl_bump none ssl_bump_domains_bankingsites
>>>> ssl_bump none ssl_bump_domains_msftupdates
>>>> ssl_bump server-first all
>>> You do it wrong. You don't know site names BEFORE bump.
>> No. His http_port settings are those which match a proxy being
>> configured explicitly in the brower, which means CONNECT messages with
>> domain name expected to be present.
> Oh, of course. I compare it with my interception configuration. :)
> But ip-based dst acl for bankings will works in any case. Just
> pass-through banking IP without bump - and, viola! - they works.
> Yes?
>
I have a few more lines before ssl-bump server-first all in my squid.conf

acl ssl_bump_domains_none_list dstdomain 
"/etc/squid/sslbumpnonedomains-list-acl.squid"
acl ssl_bump_domains_none_regex dstdom_regex -i 
"/etc/squid/sslbumpnonedomains-regex-acl.squid"
acl ssl_bump_domains_clntfrst_list dstdomain 
"/etc/squid/sslbumpclntfrstdomains-list-acl.squid"
acl ssl_bump_domains_clntfrst_regex dstdom_regex -i 
"/etc/squid/sslbumpclntfrstdomains-regex-acl.squid"
ssl_bump none ssl_bump_domains_none_list
ssl_bump none ssl_bump_domains_none_regex
ssl_bump client-first ssl_bump_domains_clntfrst_list
ssl_bump client-first ssl_bump_domains_clntfrst_regex

and any host in one of these files is either not bumped or bumped with 
client-first - google's domains are the FF problem, this is the workaround

>>
>> It might not be, which could be the problem. But that can only known by
>> looking at the CONNECT request message itself.
>>
>> Amos
attached is the certificate chain the is shown in Google Chrome of this 
banking site, that makes problems ...
by the way, without squid it is the same ..., why?
what goes wrong?

the reason why not bumping banking sites is the following:
I have a VM that is used only for electronic banking, and there I didn't 
install my CAs root and the SSL-bump CA certificate;
so any SSL site that has nothing to do with banking will not work, and 
that should it be;

Greetings,
Walter
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: certs.txt
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150201/6c505957/attachment.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5971 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150201/6c505957/attachment.bin>


More information about the squid-users mailing list