[squid-users] sslBump adventures in enterprise production environment

Yuri Voinov yvoinov at gmail.com
Fri Nov 13 13:53:21 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
There is no solution for ICQ with Squid now.

You can only bypass proxying for ICQ clients.

13.11.15 14:41, Eugene M. Zheganin пишет:
> Hi.
>
> Today I discovered that a bunch of old legacy ICQ clients that some
> people till use have lost the ability to use HTTP CONNECT tunneling with
> sslBump. No matter what I tried to allow direct splicing for them, all
> was useless:
>
> - arranging them by dst ACL, and splicing that ACL
> - arranging them by ssl::server_name ACL, and splicing it
>
> So I had to turn of sslBumping. Looks like it somehow interferes with
> HTTP CONNECT even when splicing it.
> Last version of sslBump part in the config was looking like that:
>
>
> acl icqssl ssl::server_name login.icq.com
> acl icqssl ssl::server_name go.icq.com
> acl icqssl ssl::server_name ars.oscar.aol.com
> acl icqssl ssl::server_name webim.qip.ru
> acl icqssl ssl::server_name cb.icq.com
> acl icqssl ssl::server_name wlogin.icq.com
> acl icqssl ssl::server_name storage.qip.ru
> acl icqssl ssl::server_name new.qip.ru
>
> acl icqlogin dst 178.237.20.58
> acl icqlogin dst 178.237.19.84
> acl icqlogin dst 94.100.186.23
>
> ssl_bump splice children
> ssl_bump splice sbol
> ssl_bump splice icqlogin
> ssl_bump splice icqssl icqport
> ssl_bump splice icqproxy icqport
>
> ssl_bump bump interceptedssl
>
> ssl_bump peek step1
> ssl_bump bump unauthorized
> ssl_bump bump entertainmentssl
> ssl_bump splice all
>
> I'm not sure that ICQ clients use TLS, but in my previous experience
> they were configured to use proxy, and to connect through proxy to the
> login.icq.com host on port 443.
> Sample log for unsuccessful attempts:
>
> 1447400500.311     21 192.168.2.117 TAG_NONE/503 0 CONNECT
> login.icq.com:443 solodnikova_k HIER_NONE/- -
> 1447400560.301     23 192.168.2.117 TAG_NONE/503 0 CONNECT
> login.icq.com:443 solodnikova_k HIER_NONE/- -
> 1447400624.832    359 192.168.2.117 TCP_TUNNEL/200 0 CONNECT
> login.icq.com:443 solodnikova_k HIER_DIRECT/178.237.20.58 -
> 1447400631.038    108 192.168.2.117 TCP_TUNNEL/200 0 CONNECT
> login.icq.com:443 solodnikova_k HIER_DIRECT/178.237.20.58 -
>
> Thanks.
> Eugene.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWRetRAAoJENNXIZxhPexGbikH/0EqoRzosGamhDwM9h0tVMOJ
4rpARbMvHK3wejCgFkh+yp/X2kZi1+nRU9+baJ9vWAmKz6nqf7loFA3S+2s6HzNC
3WyAc+ICO5O2TtC+hSwPVOn4YCjbdROKSGTc/T6MoAnlfnEVIP9IV+Qb29F53bIE
vcMovH4iH2zE7XfPwtZY7eBqEiBsiSG51dg744LHfTzJEYZWmGwTjd7LAQtIwO5e
p+4FwG4oDxFksPXWEs4L2mpk8meKZvqP6CGTzTULYZdcokXcozTNw0YTz468MIzx
4zyDBZNdZXEZTLA5kL89OCVjfuXSm8WqggVvxq9SHqUYs2aJBVUHZRWNnvLhFMU=
=v1X4
-----END PGP SIGNATURE-----



More information about the squid-users mailing list