[squid-users] SSL Bump - Splice - Chrome error

Alejandro Martinez ajm.martinez at gmail.com
Mon Jan 4 00:16:10 UTC 2016


Thanks again Yuri.

I have tried blocking udp protocol on port 80 and 443 but without luck.

Is it possible to make google sites work in transparent mode without
bumping ? only splicing ?

Thanks


2016-01-03 10:11 GMT-03:00 Alejandro Martinez <ajm.martinez at gmail.com>:

> Sorry my corrector.
> I want to say that i am going to check blocking quic proto.
>
> Sorry
> El 03/01/2016 10:10, "Alejandro Martinez" <ajm.martinez at gmail.com>
> escribió:
>
>> Yuri
>>
>> Thanks.
>>
>> I amor.gringaus to checkpoint blocking quic.
>>
>> I cant put ca cert into clients besarse I dont have access but I do not
>> want to bump,  Just allow almost everything and deny only a few sites.
>>
>> I Will tell you my result.
>> El 03/01/2016 06:22, "Yuri Voinov" <yvoinov at gmail.com> escribió:
>>
>>> Sure,
>>>
>>> my config is quite different.
>>>
>>> Also - did you put cache CA cert into clients? And - did you block QUIC
>>> in your infrastructure? As described here:
>>>
>>> http://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol
>>> ?
>>>
>>> 03.01.16 8:28, Alejandro Martinez пишет:
>>>
>>> Yuri
>>>
>>> Do you haber something diferent  in your config?
>>>
>>> Thanks
>>> El 02/01/2016 17:18, "Yuri Voinov" < <yvoinov at gmail.com>
>>> yvoinov at gmail.com> escribió:
>>>
>>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA256
>>>>
>>>> Don't think so.
>>>>
>>>> Google's HTTPS's works for me without any alerts in Chrome :) With
>>>> bump! ;)
>>>>
>>>> 03.01.16 2:12, Nir Krakowski пишет:
>>>> > Its called certificate pinning: >
>>>> https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning > > Nir. > > On
>>>> Sat, Jan 2, 2016 at 9:11 PM, Alejandro Martinez
>>>> <ajm.martinez at gmail.com> <ajm.martinez at gmail.com> > wrote: > >> Hi
>>>> all, >> >> I'm using squid 3.5.12. >> >> This is my relevant config: >> >>
>>>> *http_port 881* >> *http_port 880 intercept* >> *https_port 843 intercept
>>>> ssl-bump generate-host-certificates=on >> dynamic_cert_mem_cache_size=4MB
>>>> cert=/usr/local/squid/etc/cert.pem key=* >>
>>>> */usr/local/squid/etc**/cert.pem options=NO_SSLv3:NO_SSLv2 >>
>>>> cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH*
>>>> >> *sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s * >>
>>>> */usr/local/squid/etc/**ssl/certs -M 4MB sslcrtd_children 8 startup=1 >>
>>>> idle=1* >> >> *#### Denied Users* >> *acl equipos_denegados src
>>>> "**/usr/local/squid/etc**/equipos_denegados"* >> *http_access deny
>>>> equipos_denegados* >> *deny_info DENY equipos_denegados* >> >> *####
>>>> Allowed users* >> *acl equipos_permitidos src
>>>> "/**usr/local/squid/etc**/equipos_permitidos"* >> *http_access allow
>>>> equipos_permitidos* >> *####* >> >> *#### Denied Sites* >> *acl
>>>> sitios_denegados dstdomain "**/usr/local/squid/etc* >> */sitiosdenegados"*
>>>> >> *http_access deny sitios_denegados* >> *####* >> >> *#### Block HTTPS*
>>>> >> *acl blockhttps ssl::server_name  "/**usr/local/squid/etc* >>
>>>> */sitiosdenegados"* >> *ssl_bump terminate blockhttps* >> *ssl_bump splice
>>>> equipos_permitidos* >> *ssl_bump peek all* >> *ssl_bump splice all* >>
>>>> *####* >> >> *sslproxy_cert_error allow all* >> *sslproxy_flags
>>>> DONT_VERIFY_PEER* >> *sslproxy_options NO_SSLv3:NO_SSLv2* >> >> >>
>>>> Basically I'm using squid to allow everything and deniy some users (hosts)
>>>> >> and some sites (http and https). >> >> If I use IE or Firefox (Win/Lin),
>>>> everything works great, if I access a >> site via HTTP the user see a
>>>> message and if he access via HTTPS the >> conecction is terminated and
>>>> there is an error on the browser. >> >> But, If I access any google site
>>>> using chrome (windows / linux) the sites >> are getting bumped (
>>>> google.com, google.com.X youtube.com, etc) >> >> The browser complains
>>>> with a "Your conecction is not private" and the >> certificate is my own
>>>> certificate. >> >> I'm missing something ? >> >> I only what to splice
>>>> everythng. >> >> Thanks >> >> >>
>>>> _______________________________________________ >> squid-users mailing list
>>>> >> squid-users at lists.squid-cache.org >>
>>>> http://lists.squid-cache.org/listinfo/squid-users >> >> > > > >
>>>> _______________________________________________ > squid-users mailing list
>>>> > squid-users at lists.squid-cache.org >
>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v2
>>>>
>>>> iQEcBAEBCAAGBQJWiDCiAAoJENNXIZxhPexGoQgH/3tVYeLA0ymswptTFgXCafjD
>>>> 4dVdYyeqUklxAD1Z9kdTAwebKr8gCum+pSJJti474hjNpgQQlHsTc/syxMxMJGsF
>>>> Z2V0e1GCFjhDf+PBoBRIO0tJw5fhSR7RUhWT5HeZ5OuP412XtjyLH1eRJqKShh+x
>>>> VBL+7btpC5CwhDyHtM35UXCwM43tkuXo3uF8FibZn3AgxKM7EZJ0NndwK5od0kW1
>>>> PaTmUqeODXJZdXjceVF4dYeTt6GfSvzfrtXiPMIogk0w0Z2bJi5Sj/w7tr1x7VPH
>>>> ls8kccXKVCKp0kigoEMLD86DzznKd1c4r+rZguEGycQQfN8MIpzc8wQZEm61nx0=
>>>> =aiMO
>>>> -----END PGP SIGNATURE-----
>>>>
>>>>
>>>> _______________________________________________
>>>> squid-users mailing list
>>>> squid-users at lists.squid-cache.org
>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160103/3f3c3d3a/attachment.html>


More information about the squid-users mailing list