[squid-users] Safari 9 vs. SSL Bump

Jason Haar Jason_Haar at trimble.com
Fri Oct 16 00:26:30 UTC 2015


On 16/10/15 13:08, Dan Charlesworth wrote:
> ORLY
>
> I seem to recall this happening on 10.10 as well, but it could be an El Capitan thing. Do you mind reminding me of your squid config Jason?

With my config I trying to "aggressively" figure out if the transaction
is safely going to be bump-able. I'm more willing to throw away (ie
splice) things I'm unsure about than risk a client seeing an error. But
for the websites you see problems with, I see nice clean bump-ing


http_port 3128 ssl-bump cert=/etc/squid/squidCA.cert 
generate-host-certificates=on dynamic_cert_mem_cache_size=256MB options=ALL
acl DiscoverSNIHost at_step SslBump1
ssl_bump peek DiscoverSNIHost
#do we have a SNI? If not, it's not TLS
acl SNIpresent ssl::server_name_regex .*

#this file contains https sites that we do not intercept - such as banks
(because we want the data transfers to remain private)
#and accounts.google.com (because Chrome uses cert pinning for that domain)
# in general you will need to add all sites that involve cert pinning
acl NoSSLIntercept ssl::server_name_regex -i
"/etc/squid/acl-NoSSLIntercept.txt"

#this external_acl process will sanity-check HTTPS transactions that
haven't being spliced yet
#to ensure only the correct ones end up being bumped
external_acl_type checkIfHTTPS children-max=20 concurrency=20
negative_ttl=3600 ttl=3600 grace=90  %SRC %DST %PORT %ssl::>sni
/usr/local/bin/confirm_https.pl
acl is_ssl external checkIfHTTPS

ssl_bump splice !SNIpresent
ssl_bump splice NoSSLIntercept
ssl_bump bump is_ssl

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1



More information about the squid-users mailing list