Feb 1, 2016 at 1:44 PM, Amos Jeffries wrote:
> On 2/02/2016 12:55 a.m., Tom Tom wrote:
>> Hi list
>> Using Squid 3.5.11 and playing with Peek-and-splice and
>> SSL-Fingerprinting. I've configured the following settings:
>>
>> acl SSL_BLACKLIST server_cert_f
Hi list
Using Squid 3.5.11 and playing with Peek-and-splice and
SSL-Fingerprinting. I've configured the following settings:
acl SSL_BLACKLIST server_cert_fingerprint "/etc/squid/SSL_BLACKLIST"
acl DENY_SSL_BUMP ssl::server_name_regex -i "/etc/squid/DENY_SSL_BUMP"
acl step1 at_step SslBump1
acl ste
Hi list
Using squid 3.5.11: Is there a way to log the SHA1-Fingerprint from a
SSL/TLS-Connection in the access.log?
Kind regards,
Tom
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Bug created: http://bugs.squid-cache.org/show_bug.cgi?id=4394
On Thu, Dec 10, 2015 at 9:10 PM, Tom Tom wrote:
> Hi Alex
>
> I've tested again. Squid (3.5.11) only terminates the connection
> (based on SHA1-Fingerprint), *if* the fingerprint is delimited with
> colons. If
DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi
UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE
LOC GOV"
X-Frame-Options: DENY
Strict-Transport-Security: max-age=2592000
...
Kind regards,
Tom
On Mon, Dec 7, 2015 at 10:30 PM, Alex Rousskov
wrote:
> On
The configuration provided by Alex works for me (squid 3.5.11) if:
* the http_port-directive is configured with ssl-bump and a
certificate (ex. http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/usr/local/certs/myCA.pem)
* the SHA1-fingerprint in the file SS
ny"? Are there some
speed-/security...-considerations?
Kind regards,
Tom
On Fri, Dec 4, 2015 at 1:40 PM, Amos Jeffries wrote:
> On 4/12/2015 9:34 p.m., Tom Tom wrote:
>> Hi list,
>>
>> I'm trying to implement SSL-Blacklists based on SHA1-Fingerprints
>> (squid 3.5.11
Hi list,
I'm trying to implement SSL-Blacklists based on SHA1-Fingerprints
(squid 3.5.11). As I know, certificate-fingerprints are one of the
parts of a certificate, which are visible in a uncrypted traffic.
It seems, that blocking https-sites based on fingerprints is only
working with a ssl_bump
Hi
I'm running Squid 3.5.11 (Linux, 64Bit) with 16 workers and 4
cache_dir's (rock) configured.
The 4 rock-caches where newly builded a few days ago. In the meantime,
during squid-startup, I receive warnings like this:
...
...
2015/11/26 00:07:41 kid17| WARNING: Ignoring malformed cache entry.
20
Hi
M$ provides a XML-List of IP-Addresses and Domain-Names, which should
be accessible for Office365. Look here:
https://support.content.office.net/en-us/static/O365IPAddresses.xml
Is there a way to include such a XML-File in squid for ex. allow the
mentioned IPs/Domains without authentication? O
The workaround in the mentioned 3.5.6-snapshot seems to solve these
periodically restarts.
Many thanks.
Tom
On Tue, Jul 7, 2015 at 10:48 AM, Amos Jeffries wrote:
> On 7/07/2015 4:27 p.m., Tom Tom wrote:
>> Hi
>>
>> Opened a while ago, but no answer, if this problem is a (
Hi
Opened a while ago, but no answer, if this problem is a (known) bug or
it's already solved with 3.5.6..?
Thanks for a answer.
Kind regards,
Tom
-- Forwarded message --
From: Tom Tom
Date: Tue, Jun 30, 2015 at 1:09 PM
Subject: Re: [squid-users] Squid 3.5.5 automati
Whats the error-message?
I also run a SLES12-Box with kerberos-auth. I had to ensure, that in
the users-path, from which you try to configure && make && make
install, the following directories are present:
export PATH=$PATH:/usr/lib/mit/bin:/usr/lib/mit/sbin
Regards,
Tom
On Wed, Jul 1, 2015 at 6:
Hi Othmar
The same behaviour here with squid 3.5.5:
# Catching an existing file results in a correct 200:
$ curl -x proxy:3128 -I ftp://mirror.switch.ch/README
HTTP/1.1 200 OK
Server: squid
Mime-Version: 1.0
Date: Wed, 01 Jul 2015 07:58:28 GMT
Content-Type: text/plain
Last-Modified: Wed, 05 Dec 2
Hi Amos
On Fri, Jun 19, 2015 at 12:06 PM, Amos Jeffries wrote:
> On 19/06/2015 5:23 a.m., Tom Tom wrote:
>> Hi
>>
>> gdb shows the following:
>>
>>
>
>> #3 0x7ff7ad7d31d2 in __GI___assert_fail (assertion=0x83314d "0",
>> file=0x8
...or something else I can configure to prevent restarting after every 2h?
Thanks.
Tom
On Mon, Jun 22, 2015 at 7:16 AM, Tom Tom wrote:
> Seems this is a well known problem? Is there a patch available?
>
> On Fri, Jun 19, 2015 at 12:06 PM, Amos Jeffries wrote:
>> On 19/0
, Michael Pelletier
wrote:
> It did not work. I exported the variable and started squid but it still used
> the old file:-(
>
> On Mon, Jun 22, 2015 at 1:54 PM, Tom Tom wrote:
>>
>> You can export the variable KRB5CCNAME, where you can specify the
>> kerberos cache
You can export the variable KRB5CCNAME, where you can specify the
kerberos cache file location.
For example: $ export KRB5CCNAME=/home/testuser/krb5_cache_file_$(id -u)
Regards,
Tom
On Mon, Jun 22, 2015 at 5:48 PM, Michael Pelletier
wrote:
> Hello,
>
> Squid is keeping the kerberos cache file in
Seems this is a well known problem? Is there a patch available?
On Fri, Jun 19, 2015 at 12:06 PM, Amos Jeffries wrote:
> On 19/06/2015 5:23 a.m., Tom Tom wrote:
>> Hi
>>
>> gdb shows the following:
>>
>>
>
>> #3 0x7ff7ad7d31d2 in __GI___as
Hi
gdb shows the following:
# gdb /usr/local/squid/sbin/squid /root/core
...
...
[New LWP 12812]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `(squid-1) -f /etc/squid/squid.conf'.
Program terminated with signal SI
to signal 6 with status 0
But no hints, why squid will be killed with SIGABRT
On Thu, Jun 18, 2015 at 11:19 AM, Ralf Hildebrandt
wrote:
> * Tom Tom :
>> Hi
>>
>> Squid 3.5.5 on a SLES12 box with Rock and SSL-Bump enabled, reloads
>> itself after every 2 hours (and only
Hi
Squid 3.5.5 on a SLES12 box with Rock and SSL-Bump enabled, reloads
itself after every 2 hours (and only if there was initial some low
traffic through it). Squid 3.3.13 on the same box doesn't reload
itself after 2 hours.
In the cache.log are no suspicious entries. Everything looks and feels
n
Thank you Amos, for this explanation.
On Wed, Apr 29, 2015 at 3:02 PM, Amos Jeffries wrote:
> On 29/04/2015 7:38 p.m., Tom Tom wrote:
>> Hi
>>
>> I'm running squid (3.4.12) on a IPv6/IPv4-dual-stack system.
>>
>> While accessing the test-site &q
Hi
I'm running squid (3.4.12) on a IPv6/IPv4-dual-stack system.
While accessing the test-site "http://test.rx.td.h.labs.apnic.net";, I
encountered a 60s connection-timeout (configurable with
connect_timeout) while squid is making 5 IPv6-connection-attempts
(SYN), before it tries to connect with I
Some of our internal users are connecting via squid and ica-webclient
(java-applet) to the remote citrix-server. Because of our
kerberos-authentication (java resp. ica-webclient seems not to know
kerberos) we allowed the destination (citrix)-site without
authentication, but based on the user-agent
enticate" is not existent. Why does squid in newer versions
"eats" this header-field? Is there a configuration-directive for
squid, not to delete this field?
On Fri, Nov 7, 2014 at 6:20 PM, Amos Jeffries wrote:
> -BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 8/1
Hi
Within squid 3.3.11 and 3.3.13 (and of course squid >3.3.13) changed
something concerning browser-behaviour while accessing ftp-sites:
squid 3.3.11
ftp://ftp.xxx.xxx -> User is prompted for username/password
(TCP_DENIED/401), when anonymous-access is not allowed
squid 3.3.13 (sa
Hi
After migration from squid 3.3.13 to 3.4.4, I recognized a
performance-issue. Squid is configured with 4 workers. They often have
a CPU-Utilization between 50%-90% (each worker). With squid 3.3.13
(same configuration), the CPU-Utilization was never a problem. I
installed squid 3.4.9 and had the
Entry created in bugzilla:
http://bugs.squid-cache.org/show_bug.cgi?id=4122
On Mon, Oct 20, 2014 at 7:25 AM, Amos Jeffries wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 20/10/2014 6:18 p.m., Tom Tom wrote:
>> Hi Amos
>>
>> Do you have new fin
Hi Amos
Do you have new findings? Should I open a bug for better tracking?
Kind regards,
Tom
On Mon, Oct 13, 2014 at 8:16 AM, Amos Jeffries wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 13/10/2014 6:26 p.m., Tom Tom wrote:
>> Hi
>>
>> Doe
Hi
Does anyone have some ideas/hints concerning this problem?
Many thanks.
Tom
On Wed, Oct 8, 2014 at 8:16 PM, Tom Tom wrote:
> I still get a TCP_DENIED/403 while accessing a bumped https-site after
> putting a "-" or even "^root$" in /etc/squid/DENY_USERS_L
DENY_USERS_LOCAL is denying
kerberos-authenticated AD-users. With squid 3.4.4, this worked fine.
Kind regards,
Tom
On Wed, Oct 8, 2014 at 4:26 PM, Amos Jeffries wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 9/10/2014 3:21 a.m., Amos Jeffries wrote:
>> On
I think, this behaviour was introduced with squid 3.4.4.1
(http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13113.patch).
I don't exactly understand this behaviour.
Any hints for this?
Thanks a lot.
Kind regards,
Tom
On Mon, Oct 6, 2014 at 11:59 AM, Tom Tom wrote:
> Hi
&
Hi
After upgrading squid 3.4.4 to 3.4.7 (64Bit, self-compiled, the same
configure-options, the same config-file, ssl_bump with "ssl_bump
server-first all" enabled), I'm no more able to access bumped
https-sites because of a TCP_DENIED/403.
#-- relevant parts of squid.conf ---
34 matches
Mail list logo
