[squid-users] sslBump adventures in enterprise production environment
Walter H.
Walter.H at mathemainzel.info
Sat Nov 14 19:43:00 UTC 2015
On 13.11.2015 14:53, Yuri Voinov wrote:
> There is no solution for ICQ with Squid now.
>
> You can only bypass proxying for ICQ clients.
from where do the ICQ clients get the trusted root certificates?
maybe this is the problem, that e.g. the squid CA cert is only installed
in FF
and nowhere else ...
> 13.11.15 14:41, Eugene M. Zheganin пишет:
>> Hi.
>>
>> Today I discovered that a bunch of old legacy ICQ clients that some
>> people till use have lost the ability to use HTTP CONNECT tunneling with
>> sslBump. No matter what I tried to allow direct splicing for them, all
>> was useless:
>>
>> - arranging them by dst ACL, and splicing that ACL
>> - arranging them by ssl::server_name ACL, and splicing it
>>
>> So I had to turn of sslBumping. Looks like it somehow interferes with
>> HTTP CONNECT even when splicing it.
>> Last version of sslBump part in the config was looking like that:
>>
>>
>> acl icqssl ssl::server_name login.icq.com
>> acl icqssl ssl::server_name go.icq.com
>> acl icqssl ssl::server_name ars.oscar.aol.com
>> acl icqssl ssl::server_name webim.qip.ru
>> acl icqssl ssl::server_name cb.icq.com
>> acl icqssl ssl::server_name wlogin.icq.com
>> acl icqssl ssl::server_name storage.qip.ru
>> acl icqssl ssl::server_name new.qip.ru
>>
>> acl icqlogin dst 178.237.20.58
>> acl icqlogin dst 178.237.19.84
>> acl icqlogin dst 94.100.186.23
>>
>> ssl_bump splice children
>> ssl_bump splice sbol
>> ssl_bump splice icqlogin
>> ssl_bump splice icqssl icqport
>> ssl_bump splice icqproxy icqport
>>
>> ssl_bump bump interceptedssl
>>
>> ssl_bump peek step1
>> ssl_bump bump unauthorized
>> ssl_bump bump entertainmentssl
>> ssl_bump splice all
>>
>> I'm not sure that ICQ clients use TLS, but in my previous experience
>> they were configured to use proxy, and to connect through proxy to the
>> login.icq.com host on port 443.
>> Sample log for unsuccessful attempts:
>>
>> 1447400500.311 21 192.168.2.117 TAG_NONE/503 0 CONNECT
>> login.icq.com:443 solodnikova_k HIER_NONE/- -
>> 1447400560.301 23 192.168.2.117 TAG_NONE/503 0 CONNECT
>> login.icq.com:443 solodnikova_k HIER_NONE/- -
>> 1447400624.832 359 192.168.2.117 TCP_TUNNEL/200 0 CONNECT
>> login.icq.com:443 solodnikova_k HIER_DIRECT/178.237.20.58 -
>> 1447400631.038 108 192.168.2.117 TCP_TUNNEL/200 0 CONNECT
>> login.icq.com:443 solodnikova_k HIER_DIRECT/178.237.20.58 -
>>
maybe give 3.4.x a try, 3.5 seems to have bugs 3.4.x don't have ...
or this is caused by the above ...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4312 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151114/ce3e7f05/attachment.bin>
More information about the squid-users
mailing list