[squid-users] SSL Bump - Splice - Chrome error

Yuri Voinov yvoinov at gmail.com
Sun Jan 3 09:22:20 UTC 2016 

Sure,

my config is quite different.

Also - did you put cache CA cert into clients? And - did you block QUIC 
in your infrastructure? As described here:

http://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol
?

03.01.16 8:28, Alejandro Martinez пишет:
>
> Yuri
>
> Do you haber something diferent  in your config?
>
> Thanks
>
> El 02/01/2016 17:18, "Yuri Voinov" <yvoinov at gmail.com 
> <mailto:yvoinov at gmail.com>> escribió:
>
>
>     -----BEGIN PGP SIGNED MESSAGE-----
>     Hash: SHA256
>
>     Don't think so.
>
>     Google's HTTPS's works for me without any alerts in Chrome :) With
>     bump! ;)
>
>     03.01.16 2:12, Nir Krakowski пишет:
>     > Its called certificate pinning: > https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning > > Nir.
>     > > On Sat, Jan 2, 2016 at 9:11 PM, Alejandro Martinez
>     <ajm.martinez at gmail.com> <mailto:ajm.martinez at gmail.com> > wrote:
>     > >> Hi all, >> >> I'm using squid 3.5.12. >> >> This is my
>     relevant config: >> >> *http_port 881* >> *http_port 880
>     intercept* >> *https_port 843 intercept ssl-bump
>     generate-host-certificates=on >> dynamic_cert_mem_cache_size=4MB
>     cert=/usr/local/squid/etc/cert.pem key=* >>
>     */usr/local/squid/etc**/cert.pem options=NO_SSLv3:NO_SSLv2 >>
>     cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH*
>     >> *sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s * >>
>     */usr/local/squid/etc/**ssl/certs -M 4MB sslcrtd_children 8
>     startup=1 >> idle=1* >> >> *#### Denied Users* >> *acl
>     equipos_denegados src
>     "**/usr/local/squid/etc**/equipos_denegados"* >> *http_access deny
>     equipos_denegados* >> *deny_info DENY equipos_denegados* >> >>
>     *#### Allowed users* >> *acl equipos_permitidos src
>     "/**usr/local/squid/etc**/equipos_permitidos"* >> *http_access
>     allow equipos_permitidos* >> *####* >> >> *#### Denied Sites* >>
>     *acl sitios_denegados dstdomain "**/usr/local/squid/etc* >>
>     */sitiosdenegados"* >> *http_access deny sitios_denegados* >>
>     *####* >> >> *#### Block HTTPS* >> *acl blockhttps
>     ssl::server_name "/**usr/local/squid/etc* >> */sitiosdenegados"*
>     >> *ssl_bump terminate blockhttps* >> *ssl_bump splice
>     equipos_permitidos* >> *ssl_bump peek all* >> *ssl_bump splice
>     all* >> *####* >> >> *sslproxy_cert_error allow all* >>
>     *sslproxy_flags DONT_VERIFY_PEER* >> *sslproxy_options
>     NO_SSLv3:NO_SSLv2* >> >> >> Basically I'm using squid to allow
>     everything and deniy some users (hosts) >> and some sites (http
>     and https). >> >> If I use IE or Firefox (Win/Lin), everything
>     works great, if I access a >> site via HTTP the user see a message
>     and if he access via HTTPS the >> conecction is terminated and
>     there is an error on the browser. >> >> But, If I access any
>     google site using chrome (windows / linux) the sites >> are
>     getting bumped (google.com <http://google.com>, google.com.X
>     youtube.com <http://youtube.com>, etc) >> >> The browser complains
>     with a "Your conecction is not private" and the >> certificate is
>     my own certificate. >> >> I'm missing something ? >> >> I only
>     what to splice everythng. >> >> Thanks >> >> >>
>     _______________________________________________ >> squid-users
>     mailing list >> squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org> >>
>     http://lists.squid-cache.org/listinfo/squid-users >> >> > > > >
>     _______________________________________________ > squid-users
>     mailing list > squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org> >
>     http://lists.squid-cache.org/listinfo/squid-users
>
>     -----BEGIN PGP SIGNATURE-----
>     Version: GnuPG v2
>
>     iQEcBAEBCAAGBQJWiDCiAAoJENNXIZxhPexGoQgH/3tVYeLA0ymswptTFgXCafjD
>     4dVdYyeqUklxAD1Z9kdTAwebKr8gCum+pSJJti474hjNpgQQlHsTc/syxMxMJGsF
>     Z2V0e1GCFjhDf+PBoBRIO0tJw5fhSR7RUhWT5HeZ5OuP412XtjyLH1eRJqKShh+x
>     VBL+7btpC5CwhDyHtM35UXCwM43tkuXo3uF8FibZn3AgxKM7EZJ0NndwK5od0kW1
>     PaTmUqeODXJZdXjceVF4dYeTt6GfSvzfrtXiPMIogk0w0Z2bJi5Sj/w7tr1x7VPH
>     ls8kccXKVCKp0kigoEMLD86DzznKd1c4r+rZguEGycQQfN8MIpzc8wQZEm61nx0=
>     =aiMO
>     -----END PGP SIGNATURE-----
>
>
>     _______________________________________________
>     squid-users mailing list
>     squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>
>     http://lists.squid-cache.org/listinfo/squid-users
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160103/f6a98b91/attachment-0001.html>

More information about the squid-users mailing list