[squid-users] Microsoft store issues with ssl-bump
Eliezer Croitoru
ngtech1ltd at gmail.com
Tue Jan 12 14:10:42 UTC 2021
-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Amos Jeffries
Sent: Tuesday, January 12, 2021 2:42 PM
To: Squid Users <squid-users at lists.squid-cache.org>
Subject: Re: [squid-users] Microsoft store issues with ssl-bump
On 12/01/21 11:32 pm, NgTech LTD wrote:
> Im saying that my config might be wrong and I will send you a full
> config save which can show you the whole setup like most vendors has.
> I have upgraded squid in production.
>
> Let me verify first before shouting "bug".
>
> Eliezer
>
> The other proxy logs show SNI as being
> "https://storeedgefd.dsx.mp.microsoft.com:443". SNI should be only a
>name, not a full URL. So if we assume that log is correct the client is
>producing invalid SNI. This may be an issue for Squid, causing it to
> ignore the SNI value entirely.
It’s only fprint the does this with https://XYZ:port
It sees only the ip + domain(plain SNI) + port
> The openssl tool connecting to the same IP address the other proxy
> claims to be going to gets "sfdataservice.microsoft.com" as the server
> name. In absence of valid SNI to work with that is the name your Squid
> will be trying to match against to decide splice vs bump.
So squid tried to match only the certificate and not the SNI?
>From what I see the SNI is ok with the certificate version 3 extensions ie DNS=XYZ
(it should, I cannot verify this against the server at the moment.)
> The server prefers to use TLS/1.3 unless explicitly connected to with
> TLS/1.2 immediately. IIRC latest Squid force the client to TLS/1.2 when
> preparing to bump, but may not for spliceand stare. So YMMV.
OK
Eliezer
----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com
Zoom: Coming soon
More information about the squid-users
mailing list