[squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
Dieter Bloms
squid at bloms.de
Thu Sep 17 07:18:49 UTC 2015
Hello Amos,
thank you for your hints.
On Thu, Sep 17, Amos Jeffries wrote:
> > the relevant part ist:
> >
> > --snip--
> > acl nodecryptdomains dstdomain "/etc/squid/nodecrypt.domains"
> > http_port MYIP:8080 ssl-bump cert=/etc/squid/ca.pem key=/etc/squid/ca.key generate-host-certificates=on dhparams=/etc/squid/dhparams.pem
>
>
> Replace these...
>
> > ssl_bump none nodecryptdomains
> > ssl_bump server-first all
>
> ... with:
>
> acl nodecrypt ssl::server_name "/etc/squid/nodecrypt.domains"
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump splice nodecrypt
> ssl_bump bump all
>
> Maybe also remove the nodecryptdomains ACL. Depends on whether you use
> it anywhere else.
I've changed my config, but same results.
SSLBump works so far, only the site banking.postbank.de makes trouble.
My chrome browser says "ERR_CONNECTION_CLOSED" and in the squid log
looks like:
--snip--
1442473894.771 49 10.252.16.100 TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
1442473894.832 49 10.252.16.100 TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
1442473895.074 48 10.252.16.100 TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
1442473895.134 47 10.252.16.100 TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
1442473895.193 45 10.252.16.100 TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
--snip--
here the ssl relevant part of my squid.conf
--snip--
http_port MYIP:8080 ssl-bump cert=/etc/squid/ca.pem key=/etc/squid/ca.key generate-host-certificates=on dhparams=/etc/squid/dhparams.pem
ssl_bump peek step1
ssl_bump bump all
sslproxy_capath /etc/ssl/certs
sslproxy_options NO_SSLv2:NO_SSLv3:ALL
sslproxy_cipher ALL:!SSLv2:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
--snip--
so it would be nice, if anybody with enabled sslbump on squid3.5.8 can
do a GET Request to https://banking.postbank.de/ to see if that works.
--
Regards
Dieter
--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.
More information about the squid-users
mailing list