[squid-users] SSL Bump - Splice - Chrome error

Alejandro Martinez ajm.martinez at gmail.com
Sun Jan 3 02:28:17 UTC 2016 

Yuri

Do you haber something diferent  in your config?

Thanks
El 02/01/2016 17:18, "Yuri Voinov" <yvoinov at gmail.com> escribió:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Don't think so.
>
> Google's HTTPS's works for me without any alerts in Chrome :) With bump! ;)
>
> 03.01.16 2:12, Nir Krakowski пишет:
> > Its called certificate pinning:
> > https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
> >
> > Nir.
> >
> > On Sat, Jan 2, 2016 at 9:11 PM, Alejandro Martinez
> <ajm.martinez at gmail.com> <ajm.martinez at gmail.com>
> > wrote:
> >
> >> Hi all,
> >>
> >> I'm using squid 3.5.12.
> >>
> >> This is my relevant config:
> >>
> >> *http_port 881*
> >> *http_port 880 intercept*
> >> *https_port 843 intercept ssl-bump generate-host-certificates=on
> >> dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/cert.pem key=*
> >> */usr/local/squid/etc**/cert.pem options=NO_SSLv3:NO_SSLv2
> >>
> cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH*
> >> *sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s *
> >> */usr/local/squid/etc/**ssl/certs -M 4MB sslcrtd_children 8 startup=1
> >> idle=1*
> >>
> >> *#### Denied Users*
> >> *acl equipos_denegados src "**/usr/local/squid/etc**/equipos_denegados"*
> >> *http_access deny equipos_denegados*
> >> *deny_info DENY equipos_denegados*
> >>
> >> *#### Allowed users*
> >> *acl equipos_permitidos src
> "/**usr/local/squid/etc**/equipos_permitidos"*
> >> *http_access allow equipos_permitidos*
> >> *####*
> >>
> >> *#### Denied Sites*
> >> *acl sitios_denegados dstdomain "**/usr/local/squid/etc*
> >> */sitiosdenegados"*
> >> *http_access deny sitios_denegados*
> >> *####*
> >>
> >> *#### Block HTTPS*
> >> *acl blockhttps ssl::server_name  "/**usr/local/squid/etc*
> >> */sitiosdenegados"*
> >> *ssl_bump terminate blockhttps*
> >> *ssl_bump splice equipos_permitidos*
> >> *ssl_bump peek all*
> >> *ssl_bump splice all*
> >> *####*
> >>
> >> *sslproxy_cert_error allow all*
> >> *sslproxy_flags DONT_VERIFY_PEER*
> >> *sslproxy_options NO_SSLv3:NO_SSLv2*
> >>
> >>
> >> Basically I'm using squid to allow everything and deniy some users
> (hosts)
> >> and some sites (http and https).
> >>
> >> If I use IE or Firefox (Win/Lin), everything works great, if I access a
> >> site via HTTP the user see a message and if he access via HTTPS the
> >> conecction is terminated and there is an error on the browser.
> >>
> >> But, If I access any google site using chrome (windows / linux) the
> sites
> >> are getting bumped (google.com, google.com.X youtube.com, etc)
> >>
> >> The browser complains with a "Your conecction is not private" and the
> >> certificate is my own certificate.
> >>
> >> I'm missing something ?
> >>
> >> I only what to splice everythng.
> >>
> >> Thanks
> >>
> >>
> >> _______________________________________________
> >> squid-users mailing list
> >> squid-users at lists.squid-cache.org
> >> http://lists.squid-cache.org/listinfo/squid-users
> >>
> >>
> >
> >
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJWiDCiAAoJENNXIZxhPexGoQgH/3tVYeLA0ymswptTFgXCafjD
> 4dVdYyeqUklxAD1Z9kdTAwebKr8gCum+pSJJti474hjNpgQQlHsTc/syxMxMJGsF
> Z2V0e1GCFjhDf+PBoBRIO0tJw5fhSR7RUhWT5HeZ5OuP412XtjyLH1eRJqKShh+x
> VBL+7btpC5CwhDyHtM35UXCwM43tkuXo3uF8FibZn3AgxKM7EZJ0NndwK5od0kW1
> PaTmUqeODXJZdXjceVF4dYeTt6GfSvzfrtXiPMIogk0w0Z2bJi5Sj/w7tr1x7VPH
> ls8kccXKVCKp0kigoEMLD86DzznKd1c4r+rZguEGycQQfN8MIpzc8wQZEm61nx0=
> =aiMO
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160103/8508d297/attachment.html>

More information about the squid-users mailing list