[squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/

Amos Jeffries squid3 at treenet.co.nz
Fri Oct 2 10:43:38 UTC 2015


On 2/10/2015 10:33 p.m., Jason Haar wrote:
> On 02/10/15 21:38, Amos Jeffries wrote:
>> I'm not sure but a custom certificate validator helper can probably do
>> all this better. An example helper in Perl can be found at
>> helpers/ssl/cert_valid.pl
> That website worked for me because my external validator had an
> exception rule for valid certs containing "bank" (which makes it "ERR" -
> causing squid to splice it instead of bump it). To see this problem for
> myself I removed that check and indeed bump-ing then failed to work
> (squid-3.5.10)
> 
> I then pointed sslabs.com at that site and it got a "B" rating and
> there's no obvious signs of a cert error - so I can't figure out what is
> going wrong. I've manually downloaded the server cert using "openssl
> s_client" and the cert chain validates just fine - so what is squid
> doing to it? Weird...
> 

I'm suspecting the order of these options screws things up. Or maybe
just the use of "ALL".

 sslproxy_options NO_SSLv2:NO_SSLv3:ALL

Amos



More information about the squid-users mailing list