On 27/01/2015 11:33 p.m., Josep Borrell wrote:
> I agree.
> Are there someone with the skills to help us with a working sample ?
> is an external ACL needed as Dan remarks ?
> maybe the peek and splice feature need some tuning ?
> if I can help with something, tell me.
>
I've sent a virtual poke
I might have found something
Turning up debugging shows that squid is learning the SNI value from an
intercepted/transparent HTTPS session (or is it learnt from the server
response?)
2015/01/28 09:23:34.328 kid1| bio.cc(835) parseV3Hello: Found server
name: www.kiwibank.co.nz
Looking that up in
On 27/01/15 11:13, Dan Charlesworth wrote:
> Wasn't somebody saying that you'd need write an External ACL to
> evaluate the SNI host because dstdomain isn't hooked into that code
> (yet? ever?)?
That can't be the case. If the external ACL is called without the SNI,
then at best all it can do is co
nombre de
Jason Haar
Enviado el: lunes, 26 de enero de 2015 22:34
Para: squid-users@lists.squid-cache.org
Asunto: Re: [squid-users] HTTPS intercept, simple configuration to avoid bank
bumping
Well the documentation says
# SslBump1: After getting TCP-level and HTTP CONNECT info.
# SslBump2: After
Wasn't somebody saying that you'd need write an External ACL to evaluate
the SNI host because dstdomain isn't hooked into that code (yet? ever?)?
On 27 January 2015 at 08:33, Jason Haar wrote:
>
> Well the documentation says
>
> # SslBump1: After getting TCP-level and HTTP CONNECT info.
> #
Well the documentation says
# SslBump1: After getting TCP-level and HTTP CONNECT info.
# SslBump2: After getting SSL Client Hello info.
# SslBump3: After getting SSL Server Hello info.
So that means SslBump1 only works for direct proxy (ie CONNECT)
sessions, it's SslBump2 that peeks into
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
In theory.
I don't see any 3.5.x bump working yet.
In 3.4.x bumping not chunked to stages and only IP-based dst acls will
working.
27.01.2015 1:54, Daniel Greenwald пишет:
> hmm acc to how I read this page:
> http://wiki.squid-cache.org/Features/
hmm acc to how I read this page:
http://wiki.squid-cache.org/Features/SslPeekAndSplice
The following *should* work, however in my test it bumps all and does not
splice.
Yuri- I believe, the domain name should be available at step2 after peeking
in step1.
Someone correct me?
acl domains_nobump dst
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
You can't use dstdomain ACL for disable bumping.
Only dst with IP's.
You don't know site FQDN before bump. :)
26.01.2015 23:48, Josep Borrell пишет:
>
> Hi all,
>
>
>
> Working on squid 3.5.1 with HTTPS interception.
>
> Trying to make a peek/spl
Hi all,
Working on squid 3.5.1 with HTTPS interception.
Trying to make a peek/splice configuration to work and avoid bank bumping.
Until now bumping is working fine but can't avoid to bump sites on acl. All are
bumped.
Can anybody share a working configuration or take a look at mine to find why i
10 matches
Mail list logo
