[squid-users] sslBump adventures in enterprise production environment

Walter H. Walter.H at mathemainzel.info
Sat Nov 14 19:43:00 UTC 2015


On 13.11.2015 14:53, Yuri Voinov wrote:
> There is no solution for ICQ with Squid now.
>
> You can only bypass proxying for ICQ clients.
from where do the ICQ clients get the trusted root certificates?
maybe this is the problem, that e.g. the squid CA cert is only installed 
in FF
and nowhere else ...
> 13.11.15 14:41, Eugene M. Zheganin пишет:
>> Hi.
>>
>> Today I discovered that a bunch of old legacy ICQ clients that some
>> people till use have lost the ability to use HTTP CONNECT tunneling with
>> sslBump. No matter what I tried to allow direct splicing for them, all
>> was useless:
>>
>> - arranging them by dst ACL, and splicing that ACL
>> - arranging them by ssl::server_name ACL, and splicing it
>>
>> So I had to turn of sslBumping. Looks like it somehow interferes with
>> HTTP CONNECT even when splicing it.
>> Last version of sslBump part in the config was looking like that:
>>
>>
>> acl icqssl ssl::server_name login.icq.com
>> acl icqssl ssl::server_name go.icq.com
>> acl icqssl ssl::server_name ars.oscar.aol.com
>> acl icqssl ssl::server_name webim.qip.ru
>> acl icqssl ssl::server_name cb.icq.com
>> acl icqssl ssl::server_name wlogin.icq.com
>> acl icqssl ssl::server_name storage.qip.ru
>> acl icqssl ssl::server_name new.qip.ru
>>
>> acl icqlogin dst 178.237.20.58
>> acl icqlogin dst 178.237.19.84
>> acl icqlogin dst 94.100.186.23
>>
>> ssl_bump splice children
>> ssl_bump splice sbol
>> ssl_bump splice icqlogin
>> ssl_bump splice icqssl icqport
>> ssl_bump splice icqproxy icqport
>>
>> ssl_bump bump interceptedssl
>>
>> ssl_bump peek step1
>> ssl_bump bump unauthorized
>> ssl_bump bump entertainmentssl
>> ssl_bump splice all
>>
>> I'm not sure that ICQ clients use TLS, but in my previous experience
>> they were configured to use proxy, and to connect through proxy to the
>> login.icq.com host on port 443.
>> Sample log for unsuccessful attempts:
>>
>> 1447400500.311     21 192.168.2.117 TAG_NONE/503 0 CONNECT
>> login.icq.com:443 solodnikova_k HIER_NONE/- -
>> 1447400560.301     23 192.168.2.117 TAG_NONE/503 0 CONNECT
>> login.icq.com:443 solodnikova_k HIER_NONE/- -
>> 1447400624.832    359 192.168.2.117 TCP_TUNNEL/200 0 CONNECT
>> login.icq.com:443 solodnikova_k HIER_DIRECT/178.237.20.58 -
>> 1447400631.038    108 192.168.2.117 TCP_TUNNEL/200 0 CONNECT
>> login.icq.com:443 solodnikova_k HIER_DIRECT/178.237.20.58 -
>>
maybe give 3.4.x a try, 3.5 seems to have bugs 3.4.x don't have ...
or this is caused by the above ...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4312 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151114/ce3e7f05/attachment.bin>


More information about the squid-users mailing list