[squid-users] ssl_crtd breaks after short time

Klavs Klavsen kl at vsen.dk
Tue Jun 9 19:39:04 UTC 2015


Amos Jeffries wrote on 2015-06-09 17:10:
[CUT]
> You have to first configure ssl_bump in a way that lets Squid receive
> the clientHello message (step1 -> peek) AND the serverHello message
> (step2 -> peek). Then you can use those cert details to bump (step3 ->
> bump).
> The config is quite simple:
>   ssl_bump peek all
>   ssl_bump bump all
> 
I have this:
ssl_bump peek step1 broken
ssl_bump peek step2 broken
ssl_bump splice broken
ssl_bump peek step1 all
ssl_bump peek step2 all
ssl_bump bump all

> 
> But there are cases like the client is resuming a previous TLS session
> where there is no certificates involved. Squid cannot do anything, so it
> automatically splices (3.5.4+ at least do). Or if you have configured
> your Squid in a way that there are no mutually supported ciphers.
> 

My client is curl.. I don't think that its caching any TLS sessions.

> 
> It may just be your ssl_bump rules. But given that this is a google
> domain there is a strong chance that you are encountering one of those
> special case.
>
I'd like squid to disallow queries where it cannot see what domain name
/ url is going to be accessed.

I'd like all GET/POST etc. requests to go through squid - so they are
controlled by the normal http_access rules as http (intercepted) is
currently.

This worked with 3.4.12 :( (but only for 30 minutes or less)

You saw my full config.. how is it supposed to look with 3.5.5, for this
to work as it did with 3.4.12 ?

sorry I'm a bit frustrated.. I can't seem to grasp what changed from
3.4.12 to 3.5.5, which means I suddenly can't filter https traffic
anymore :(

-- 
Regards,
Klavs Klavsen, GSEC - kl at vsen.dk - http://www.vsen.dk - Tlf. 61281200

"Those who do not understand Unix are condemned to reinvent it, poorly."
  --Henry Spencer



More information about the squid-users mailing list