[squid-users] Squid generated certificate for IP rather than domain when using ssl_bump
Alex Rousskov
rousskov at measurement-factory.com
Mon Apr 17 16:40:19 UTC 2017
On 04/17/2017 08:38 AM, Shanmugam Sundaram wrote:
> I have a blanket block setup with Squid as Transparent proxy where
> access it allowed only to github.com. But, squid generates certificates
> for IP address instead of domain name and SSL validation fails.
> Squid version: |3.5.25-20170408-r14154|
> When I use curl
> |curl: (51) SSL: certificate subject name (192.30.255.112) does not
> match target host name 'github.com|
>
> How to configure properly to splice a whitelist and block all other
> domains. Below is my current configuration
>
> http_port 3128
> http_port 3129 intercept
> https_port 3130intercept ssl-bump enerate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/etc/squid/ssl_certs/myca.pem key=/etc/squid/ssl_certs/myca.pem
>
> acl whitelist ssl::server_name .github.com
> acl step1 at_step SslBump1
>
> ssl_bump peek step1
> ssl_bump splice whitelist
> ssl_bump bump all
>
> Please help me fixing the issue.
Any http_access rules? Is it possible that Squid denies the fake CONNECT
request during step1 (before looking up SNI during step2)?
What does access.log say?
Alex.
More information about the squid-users
mailing list