[squid-users] debug skype ssl_bump numeric ips to be spliced
Marko Cupać
marko.cupac at mimar.rs
Wed Oct 14 12:00:52 UTC 2015
Hi,
I read this interesting thread:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Skype-SSL-is-incompatible-with-OpenSSL-td4665803.html
And from what I read, I'd assume those entries in cache.log ...
2015/10/14 13:44:51 kid1| Error negotiating SSL on FD 144: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
2015/10/14 13:45:17 kid1| Error negotiating SSL on FD 118: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
2015/10/14 13:45:17 kid1| Error negotiating SSL connection on FD 114: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate (1/0)
... are caused by skype clients, or other clients that use port 443 for
non-ssl traffic.
My ssl_bump setup is as follows:
acl splice_ips dst "/usr/local/etc/squid/splice_ips"
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice splice_ips
ssl_bump bump all
Is there a way to increase verbosity of cache.log in a way that I get
more information about this? I guess I am mostly interested in remote
IP addresses so I can add them to splice_ips ACL.
Thank you in advance,
--
Before enlightenment - chop wood, draw water.
After enlightenment - chop wood, draw water.
Marko Cupać
https://www.mimar.rs/
More information about the squid-users
mailing list