[squid-users] several sites - cloudflare not working with ssl-bump ...
Walter H.
walter.h at mathemainzel.info
Tue Feb 25 11:22:19 UTC 2020
On Tue, February 25, 2020 06:30, Amos Jeffries wrote:
> On 25/02/20 5:00 am, Walter H. wrote:
>> Hello,
>>
>> can someone explain, why
>> sites as https://dnslytics.com/
>> do not work any more if 'server-first',
>> they only work with 'client-first' why?
>>
>
> Not with the lack of information supplied.
>
> Amos
part of my squid.conf
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl nobumpsites ssl::server_name "/etc/squid/sslnobumpsites-acl.squid"
# this doesn't work, my own Site also only with SNI works
ssl_bump peek step1
ssl_bump splice nobumpsites
ssl_bump stare step2
ssl_bump bump all
# this works
#ssl_bump client-first
# this doesn't work with these sites
#ssl_bump server-first
even WGET shows this:
ERROR: no certificate subject alternative name matches
which means that SNI isn't correctly handled, but why and which part of
the chain is causing this?
this problem is since e.g. dnslytics.com got a new SSL certificate this year
Thanks,
Walter
More information about the squid-users
mailing list