[squid-users] windows updates
Doug Tucker
doug.tucker at navigaglobal.com
Sun Mar 16 14:34:20 UTC 2025
No, no one responded.
Doug Tucker
Sr. Director of Networking and Linux Operations
doug.tucker at navigaglobal.com
________________________________
From: NgTech LTD <ngtech1ltd at gmail.com>
Sent: Sunday, March 16, 2025 2:38:35 AM
To: Doug Tucker <doug.tucker at navigaglobal.com>
Cc: squid-users at lists.squid-cache.org <squid-users at lists.squid-cache.org>
Subject: Re: [squid-users] windows updates
You don't often get email from ngtech1ltd at gmail.com. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>
Naviga WARNING: External email. Please verify sender before opening attachments or clicking on links.
Hey,
Did you manage to find a solution for your use case?
Let me know if you need assistance with this issue.
Eliezer
----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com<mailto:ngtech1ltd at gmail.com>
On Tue, Mar 4, 2025 at 1:57 AM Doug Tucker <doug.tucker at navigaglobal.com<mailto:doug.tucker at navigaglobal.com>> wrote:
I have read through everything I can find on this subject but still cannot seem to get around the issue of windows updates not working through the squid transparent proxy. No matter what I try I continue to see this in the cache log and windows update will not connect.
2025/03/03 23:26:55 kid5| Error negotiating SSL on FD 25: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
I tried adding the info from the following doc to no avail.
https://wiki.squid-cache.org/SquidFaq/WindowsUpdate
The relevant parts of my squid.conf:
#Handling HTTPS requests
https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
acl SSL_port port 443
http_access allow SSL_port
acl allowed_https_sites ssl::server_name "/etc/squid/allowed-sites.txt"
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump peek step2 allowed_https_sites
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate step2 all
#windows update
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex -i "/etc/squid/url.nobump"
ssl_bump splice NoSSLIntercept
ssl_bump peek DiscoverSNIHost
ssl_bump bump all
I ran tcpdump and added every url i could find to the allowed-sites.txt and added the 2 sites recommended tot he url.nobump. If anyone has gotten this to work any help would be appreciated.
Doug Tucker
Sr. Director of Networking and Linux Operations
o: 817.975.5832
e: doug.tucker at navigaglobal.com<mailto:doug.tucker at navigaglobal.com>
Newscycle Solutions is now Naviga. Learn more.
CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibite
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org<mailto:squid-users at lists.squid-cache.org>
https://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20250316/0ae0622c/attachment-0001.htm>
More information about the squid-users
mailing list