Re: [squid-users] SSL_Bump: Unexpected decryption of non-whitelisted domains

On 2025-05-27 08:47, 中山稀斗 wrote: Dear Squid-Users, I’m configuring SSL_Bump to decrypt only a specific list of domains and to splice (pass through encrypted) all others, but I’m seeing non-whitelisted domains still being decrypted. ### Observed behavior (access log excerpt): 26.56.128.144 -

[squid-users] SSL_Bump: Unexpected decryption of non-whitelisted domains

Dear Squid-Users, I’m configuring SSL_Bump to decrypt only a specific list of domains and to splice (pass through encrypted) all others, but I’m seeing non-whitelisted domains still being decrypted. ### Observed behavior (access log excerpt): 26.56.128.144 - - [27/May/2025:18:35:17 +0900] "CONN

[squid-users] SSL_Bump

Hello Fellow Squid Users can you please help? Is there a better way to configure the access control lists? ssl_bump peek step1 ssl_bump terminate SSL_Intercept_Terminate miss_access deny no_miss active_use ssl_bump splice splice_main active_use ssl_bump bump bump_main active_use acl activated not

Re: [squid-users] ssl_bump with parent cache

On 3/9/22 16:16, Aaron Dewell wrote: the difference in what works and what doesn't is: ssl_bump peek step1 ssl_bump splice all (working) and this not working: ssl_bump peek all ssl_bump splice all ... which, for comparison purposes, is equivalent to: ssl_bump peek step1 ssl_bump peek s

Re: [squid-users] ssl_bump with parent cache

So after a bit more experimentation. the difference in what works and what doesn't is: ssl_bump peek step1 ssl_bump splice all (working) and this not working: ssl_bump peek all ssl_bump splice all I'm not clear on why peeking at "all" vs. "step1" would cause it to fail. However, I also note th

Re: [squid-users] ssl_bump with parent cache

On 3/8/22 17:56, Aaron Dewell wrote: Ok, with a bit more messing with it...  Changing bump to splice does work: ssl_bump splice all Noted. Adding: acl step2 at_step SslBump2 ssl_bump peek step1 ssl_bump peek step2 ssl_bump splice step2 The above is a bad configuration because no rule m

Re: [squid-users] ssl_bump with parent cache

Ok, with a bit more messing with it... Changing bump to splice does work: ssl_bump splice all Adding: acl step2 at_step SslBump2 ssl_bump peek step1 ssl_bump peek step2 ssl_bump splice step2 Fails (back to the connection errors as with bump). My guess is that this means it can splice at step1 bu

Re: [squid-users] ssl_bump with parent cache

On 3/8/22 16:38, Aaron Dewell wrote: Hi Alex, thanks for your reply!  I did get access to the parent proxy and my assumption was wrong, it's doing minimal bumping. TLS inspection at the parent proxy does not affect what I was trying to double check. What matters is whether it is a forward HTT

Re: [squid-users] ssl_bump with parent cache

Hi Alex, thanks for your reply! I did get access to the parent proxy and my assumption was wrong, it's doing minimal bumping. Also, the reason it's on 443 is to operate on a "standard" port for firewalls. The parent is doing peek and splice to an exact list of internal destinations. Specificall

Re: [squid-users] ssl_bump with parent cache

On 3/8/22 14:16, Aaron Dewell wrote: I'm trying to use these two features at the same time.  The use case is pretty simple.  I want to capture all traffic from a single source (a device of mine) to another squid proxy server and decrypt/log it.    I'm using the Ubuntu 20 package of squid-ssl v

[squid-users] ssl_bump with parent cache

Hi all, I'm trying to use these two features at the same time. The use case is pretty simple. I want to capture all traffic from a single source (a device of mine) to another squid proxy server and decrypt/log it. I'm using the Ubuntu 20 package of squid-ssl version 4.13. Device -> ssl_bump pro

Re: [squid-users] SSL_Bump not working correctly for IP destiantions like https:/1.1.1.1/

Hello Alex, thank yout for the fast response. On Thu, May 20, Alex Rousskov wrote: > On 5/20/21 8:12 AM, Dieter Bloms wrote: > > > I've a working setup with squid 4.14 and enabled sslbump under debian > > buster. > > But when I try destinations like https://1.1.1.1/ I get an error > > ERR_CER

[squid-users] SSL_Bump not working correctly for IP destiantions like https:/1.1.1.1/

Hello, I've a working setup with squid 4.14 and enabled sslbump under debian buster. But when I try destinations like https://1.1.1.1/ I get an error ERR_CERT_COMMON_NAME_INVALID The alternate DNS Names in the certificate of the original webserver is: X509v3 Subject Alternative Name: DNS:c

Re: [squid-users] SSL_Bump not working correctly for IP destiantions like https:/1.1.1.1/

On 5/20/21 8:12 AM, Dieter Bloms wrote: > I've a working setup with squid 4.14 and enabled sslbump under debian buster. > But when I try destinations like https://1.1.1.1/ I get an error > ERR_CERT_COMMON_NAME_INVALID > > The alternate DNS Names in the certificate of the original webserver is: >

Re: [squid-users] ssl_bump problems with pypi servers

On 5/26/20 7:43 PM, hanxie wrote: > The problem is that occasionally requests to "https://pypi.org"; will > time out. I believe you are dealing with a TLS v1.3 server. TLS v1.3 fakes its handshakes to pretend that they are TLS v1.2 handshakes. However, IIRC, those fake handshakes do not end with

Re: [squid-users] ssl_bump problems with pypi servers

Hi Alex thanks for the response! I have posted a link to a larger log snippet that was the more full trace from the previous request. Let me know if I could provide anything else as well. squid_debug.txt -- Se

Re: [squid-users] ssl_bump problems with pypi servers

On 5/26/20 7:43 PM, hanxie wrote: > We have tried turning on verbose debugging and I think I have found the logs > in which squid encounters an error with the request: I did not find anything particularly suspicious in that log snippet. I suggest posting a link to a much larger, compressed log sa

[squid-users] ssl_bump problems with pypi servers

Hi all, I am experiencing somewhat of a strange error with squid using ssl-bump. I think I am running a somewhat typical set up in which we run a squid proxy server fleet that is used by our other servers and we use "ssl_bump" to man-in-the-middle all our traffic. The problem is that occasional

Re: [squid-users] SSL_bump and source IP

-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of FredB Sent: Thursday, February 2, 2017 1:38 PM Cc: squid-users@lists.squid-cache.org Subject: Re: [squid-users] SSL_bump and source IP Thanks Eliezer Unfortunately my "lan" is huge, many thousands of people, and MAC add

Re: [squid-users] SSL_bump and source IP

> > acl tls_s1_connect at_step SslBump1 > > acl tls_vip_usersfill-in-your-details > > ssl_bump splicetls_vip_users # do not peek/bump vip users > ssl_bump peek tls_s1_connect # peek at connections of other > users > ssl_bump stare all# peek

Re: [squid-users] SSL_bump and source IP

The terminology may be confusing: ssl_bump means more or less "looking at HTTPS traffic" ssl_bump splice means "do not bump/intercept HTTPS traffic. No fake CA certificates are used" ssl_bump bumpmeans "bump/intercept HTTPS traffic and use a fake CA certificate" So the question is

Re: [squid-users] SSL_bump and source IP

I am with you on this. Unfortunately, the way a certain subject turns out not easy for someone in school, so does ssl_bump to me! On 2 February 2017 at 14:37, FredB wrote: > Thanks Eliezer > > Unfortunately my "lan" is huge, many thousands of people, and MAC > addresses are not known > I'm very

Re: [squid-users] SSL_bump and source IP

Thanks Eliezer Unfortunately my "lan" is huge, many thousands of people, and MAC addresses are not known I'm very surprised, I'm alone with this ? Nobody needs to exclude some users from SSLBump ? Fredb ___ squid-users mailing list squid-users@lists.

Re: [squid-users] SSL_bump and source IP

quid-users-boun...@lists.squid-cache.org] On Behalf Of FredB Sent: Thursday, February 2, 2017 10:03 AM To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] SSL_bump and source IP So how I can manage computers without my CA ? (eg: laptop temporary connected) In my situation I

Re: [squid-users] SSL_bump and source IP

So how I can manage computers without my CA ? (eg: laptop temporary connected) In my situation I have also some smartphones in some case, connected to my squids, how I can exclude them from SSLBump ? I have already some ACL based on authentication (user azerty = with/without some rules) FredB

Re: [squid-users] ssl_bump - peek & splice logging IP rather than server name

users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Alex Rousskov Sent: Friday, January 27, 2017 1:57 AM To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] ssl_bump - peek & splice logging IP rather than server name On 01/26/2017 03:38 PM, Mark Hoare wrote: > To r

Re: [squid-users] ssl_bump - peek & splice logging IP rather than server name

aps on CN _unless_ SNI matches one of >> the alternative names?? This is a complicated issue; even the smart >> server_name ACL needs parameters to clarify what "server name(s)" the >> admin really wants to use/trust... >> >> According to Mark&#

Re: [squid-users] ssl_bump - peek & splice logging IP rather than server name

information when both TCP-level and SNI information is available. Or > should it be based on CN? Or perhaps on CN _unless_ SNI matches one of > the alternative names?? This is a complicated issue; even the smart > server_name ACL needs parameters to clarify what "server name(s)" t

Re: [squid-users] SSL_bump and source IP

On 12/01/2017 1:04 a.m., FredB wrote: > >> but not all requests from a specific source > >> what do you mean here? > > I mean no ssl-bump at all for a specific user, no matter the destinations > I tried some acl without success At the time of bumping Squid has no idea what a "user" is and thing

Re: [squid-users] SSL_bump and source IP

> but not all requests from a specific source > what do you mean here? I mean no ssl-bump at all for a specific user, no matter the destinations I tried some acl without success >>, maybe because I'm using x-forwarded ? > x-forwarded-for has nothing to do with this There is a known bug with s

Re: [squid-users] SSL_bump and source IP

On 11.01.17 11:37, FredB wrote: I'm searching a way to exclude an user (account) or an IP from my lan I can exclude a destination domain to decryption with SSL_bump simply define an ACL and deny bumping it. but not all requests from a specific source what do you mean here? , maybe because

[squid-users] SSL_bump and source IP

Hello, I'm searching a way to exclude an user (account) or an IP from my lan I can exclude a destination domain to decryption with SSL_bump but not all requests from a specific source, maybe because I'm using x-forwarded ? Thanks Fred ___ squid-use

Re: [squid-users] ssl_bump with intermediate CA

Thank you Amos. I agree that adding the anchor is generally harmless and you've chosen your battles wisely. Also thank you Garri. I must have missed your response confirming the same. For current squid versions the wiki page is misleading according to all credible references I can find. Any applic

Re: [squid-users] ssl_bump with intermediate CA

lists.squid-cache.org] On Behalf Of Amos Jeffries Sent: Friday, January 6, 2017 12:06 PM To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] ssl_bump with intermediate CA On 2017-01-06 21:27, senor wrote: > Thank you for the response but I think my question is still unanswered.

Re: [squid-users] ssl_bump with intermediate CA

On 2017-01-06 21:27, senor wrote: Thank you for the response but I think my question is still unanswered. Comments below: On 1/5/2017 16:57, Bruce Rosenberg wrote: The cafile option specifies the "chain" file squid should send back to the client along with the cert, exactly as you would normall

Re: [squid-users] ssl_bump with intermediate CA

Thank you for the response but I think my question is still unanswered. Comments below: On 1/5/2017 16:57, Bruce Rosenberg wrote: > The cafile option specifies the "chain" file squid should send back to > the client along with the cert, exactly as you would normally do with > Apache httpd or Nginx

Re: [squid-users] ssl_bump with intermediate CA

On Thu, 2017-01-05 at 23:40 +, senor wrote: > Hello All. > I'd like clarification of the documentation at > http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpWithInter > mediateCA > > In section "CA certificate preparation" it is stated that a file > should > be created with "interme

Re: [squid-users] ssl_bump with intermediate CA

The cafile option specifies the "chain" file squid should send back to the client along with the cert, exactly as you would normally do with Apache httpd or Nginx. In the example the generated server cert is depth 0, CA2 is depth 1 and CA1 is depth 2. If the client has CA1 installed as a trust anch

[squid-users] ssl_bump with intermediate CA

Hello All. I'd like clarification of the documentation at http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpWithIntermediateCA In section "CA certificate preparation" it is stated that a file should be created with "intermediate CA2 followed by root CA1 in PEM format". CA1 is the cert tr

Re: [squid-users] ssl_bump - peek & splice logging IP rather than server name

On 01/03/2017 04:11 PM, Mark Hoare wrote: > I think these are hangovers from earlier syntax (ssl_bump > server-first all) which shouldn't be required under 3.5. Please note that the depricated server-first is a "bumping" (not splicing!) action, and you may see a lot more information in the bumpin

Re: [squid-users] ssl_bump - peek & splice logging IP rather than server name

age- > From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On > Behalf Of Mark Hoare > Sent: Saturday, December 31, 2016 4:38 PM > To: squid-users@lists.squid-cache.org > Subject: [squid-users] ssl_bump - peek & splice logging IP rather than server > name &

Re: [squid-users] ssl_bump - peek & splice logging IP rather than server name

Alex. > -Original Message- > From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On > Behalf Of Mark Hoare > Sent: Saturday, December 31, 2016 4:38 PM > To: squid-users@lists.squid-cache.org > Subject: [squid-users] ssl_bump - peek & splice logging IP rat

Re: [squid-users] ssl_bump - peek & splice logging IP rather than server name

: elie...@ngtech.co.il -Original Message- From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Mark Hoare Sent: Saturday, December 31, 2016 4:38 PM To: squid-users@lists.squid-cache.org Subject: [squid-users] ssl_bump - peek & splice logging IP rather than se

Re: [squid-users] ssl_bump - peek & splice logging IP rather than server name

Sorry, should have included squid version details in original post: Squid Cache: Version 3.5.20 Service Name: squid configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/

[squid-users] ssl_bump - peek & splice logging IP rather than server name

Hi, I’m trying to setup policy based routing on a gateway device pointing at a remote squid server to do transparent HTTP & HTTPS proxying with ssl_bump (peek & splice) After quite a bit of pain getting policy based routing working on the gateway and local port redirection on the squid server,

Re: [squid-users] ssl_bump newbie troubles

On 04/20/2016 04:18 PM, Odhiambo Washington wrote: > On 21 April 2016 at 00:11, Alex Rousskov wrote: > > On 04/20/2016 02:22 PM, Odhiambo Washington wrote: > > > All I want is the ability to intercept SSL sites and control access to > > them using TIME ACLs. That's all. You also want

Re: [squid-users] ssl_bump newbie troubles

On 21 April 2016 at 00:11, Alex Rousskov wrote: > On 04/20/2016 02:22 PM, Odhiambo Washington wrote: > > > All I want is the ability to intercept SSL sites and control access to > > them using TIME ACLs. That's all. > > I will assume that your definition of a "site" is "domain name". > Yes. >

Re: [squid-users] ssl_bump newbie troubles

On 04/20/2016 02:22 PM, Odhiambo Washington wrote: > All I want is the ability to intercept SSL sites and control access to > them using TIME ACLs. That's all. I will assume that your definition of a "site" is "domain name". > So in simple: > 1. UserX tries to access facebook.com/youtube.com >

Re: [squid-users] ssl_bump newbie troubles

On 20 April 2016 at 18:38, Alex Rousskov wrote: > On 04/20/2016 08:16 AM, Odhiambo Washington wrote: > > > I even wonder if this config is correct: > > > > acl ssl_bump_broken_sites dstdomain ... > > ssl_bump none ssl_bump_broken_sites > > ssl_bump peek step1 > > ssl_bump stare step2 > > ssl_bum

Re: [squid-users] ssl_bump newbie troubles

On 21/04/2016 2:16 a.m., Odhiambo Washington wrote: > Hi, > > I am trying my hands on ssl_bump and it's almost working, but that's > ish-ish.. because I have several problems. > > I even wonder if this config is correct: > > *acl step1 at_step SslBump1* > *acl step2 at_step SslBump2* > *acl step

Re: [squid-users] ssl_bump newbie troubles

On 04/20/2016 08:16 AM, Odhiambo Washington wrote: > I even wonder if this config is correct: > > acl ssl_bump_broken_sites dstdomain ... > ssl_bump none ssl_bump_broken_sites > ssl_bump peek step1 > ssl_bump stare step2 > ssl_bump bump all You did not say what you want Squid to do, so it is di

[squid-users] ssl_bump newbie troubles

Hi, I am trying my hands on ssl_bump and it's almost working, but that's ish-ish.. because I have several problems. I even wonder if this config is correct: *acl step1 at_step SslBump1* *acl step2 at_step SslBump2* *acl step3 at_step SslBump3* *acl ssl_bump_broken_sites dstdomain "/usr/local/e

Re: [squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

On 9/11/2015 10:43 p.m., maple wrote: > Hi Amos, > > thanks for confirmation, but I'm not sure if my upstream proxy support > TLS/SSL in that way as you said, but we can use it to proxy both http and > https request, does it mean it support TLS/SSL? > > To be honest, I'm not familiar with princip

Re: [squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

Hi Amos, thanks for confirmation, but I'm not sure if my upstream proxy support TLS/SSL in that way as you said, but we can use it to proxy both http and https request, does it mean it support TLS/SSL? To be honest, I'm not familiar with principle of http/https proxy at all, for solving this prob

Re: [squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

On 9/11/2015 2:40 a.m., maple wrote: > hi Amos, > > first of all, thanks very much for your specified answer. and about your > questions: > 1) are you the sysadmin for that network? > there are actually three networks involved: internal net(I'm fully in charge > of this) <--->lab network(jump ser

Re: [squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

hi Amos, first of all, thanks very much for your specified answer. and about your questions: 1) are you the sysadmin for that network? there are actually three networks involved: internal net(I'm fully in charge of this) <--->lab network(jump server located, I'm using it to set up ssh tunnel from

Re: [squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

On 6/11/2015 12:30 a.m., maple wrote: > Hi Amos, > > So, if I understand it right, it's impossible to do ssl-bump even I use the > proxychains to chain the squid with my parent proxy without using > cache_peer(because I'm confirmed that ssl-bump+cache_peer must not work in > squid), am I right? >

Re: [squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

Hi Amos, So, if I understand it right, it's impossible to do ssl-bump even I use the proxychains to chain the squid with my parent proxy without using cache_peer(because I'm confirmed that ssl-bump+cache_peer must not work in squid), am I right? I just wonder how admin900710 make things work by u

Re: [squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

On 5/11/2015 7:44 p.m., maple wrote: > hi Amos, > > what did you exactly refer to for "These particular use-case issue"? SSL-bump for port 443 intercepted directly by the proxy doing the bumping. https_port X intercept ssl-bump ... If there is an upstream proxy relaying to this one (eg proxych

Re: [squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

hi Amos, what did you exactly refer to for "These particular use-case issue"? it means in 3.5+, cache_peer can be used with ssl_bump together smoothly? or It resolves the integration problem between squid and proxychains? anyway, I have already upgraded my squid to 3.5.9, but neither for cache_pe

Re: [squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

On 5/11/2015 3:47 p.m., maple wrote: > sorry, I post my question again since last time I was not a subscriber yet. > > > > Hi, > > after a lot of google, I finally got this post, I met the exactly same > problem as you, and can't use squid to han

Re: [squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

sorry, I post my question again since last time I was not a subscriber yet. Hi, after a lot of google, I finally got this post, I met the exactly same problem as you, and can't use squid to handle https traffic behind parent proxy. I also tried w

Re: [squid-users] ssl_bump updates coming in 3.5.8

On 08/21/2015 01:28 AM, Amos Jeffries wrote: > Christos has managed (we think) to resolve a fairly major design issue > that has been plaguing the 3.5 series peek-and-splice feature so far. > () Clarification: No major design issue has been

Re: [squid-users] ssl_bump updates coming in 3.5.8

On 21/08/2015 11:04 p.m., Marcus Kool wrote: > I do not want to spoil things, but did you already read my latest > addition to bug 4303 ? > > Marcus > Haven't had a chance to read the logs yet, but got the main text. Thank you. The main emphasis of the patch was getting the action ignore/skip a

Re: [squid-users] ssl_bump updates coming in 3.5.8

On Fri, 2015-08-21 at 05:26 -0600, James Lay wrote: > On Fri, 2015-08-21 at 19:28 +1200, Amos Jeffries wrote: > > > Hi all, > > > > Christos has managed (we think) to resolve a fairly major design issue > > that has been plaguing the 3.5 series peek-and-splice feature so far. > > (

Re: [squid-users] ssl_bump updates coming in 3.5.8

On Fri, 2015-08-21 at 19:28 +1200, Amos Jeffries wrote: > Hi all, > > Christos has managed (we think) to resolve a fairly major design issue > that has been plaguing the 3.5 series peek-and-splice feature so far. > () > > The problem was t

Re: [squid-users] ssl_bump updates coming in 3.5.8

I do not want to spoil things, but did you already read my latest addition to bug 4303 ? Marcus On 08/21/2015 04:28 AM, Amos Jeffries wrote: Hi all, Christos has managed (we think) to resolve a fairly major design issue that has been plaguing the 3.5 series peek-and-splice feature so far.

[squid-users] ssl_bump updates coming in 3.5.8

Hi all, Christos has managed (we think) to resolve a fairly major design issue that has been plaguing the 3.5 series peek-and-splice feature so far. () The problem was that Squid was not actually following the intended and documented logic

Re: [squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

OK, it seems that CONNECT+SSL/TLS is really not supported yet... So I use proxychains and allow_direct without cache_peer. And things works: -- * ALPN, server did not agree to a protocol * Server certificate: * subject: CN=www.google.com * start date: 2015-07-06 07:17:41 GMT * e

Re: [squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

Some extra clue: Cache log says: -- 2015/07/07 08:55:54 kid1| Accepting SSL bumped HTTP Socket connections at local=[::]:3128 remote=[::] FD 23 flags=9 2015/07/07 08:55:55 kid1| storeLateRelease: released 0 objects 2015/07/07 08:55:57 kid1| assertion failed: PeerConnector.cc:116: "peer->use_ss

Re: [squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

Tried your config in my environment. Although curl can get to the sites through privoxy, just like the log says: -- 1436230195.213432 ::1 TCP_TUNNEL/200 4146 CONNECT www.google.com:443 - FIRSTUP_PARENT/127.0.0.1 - -- But the certificate got is still the original one, not the fake one:

Re: [squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I use 3.4 version. Yes, this is old directives. 3.5.x, on my opinion, don't do SSL Bump in NAT transparent interception environment. 06.07.15 20:21, adam900710 пишет: > 2015-07-06 22:05 GMT+08:00 Yuri Voinov : >> > My own solution in conjunction

Re: [squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

2015-07-06 22:05 GMT+08:00 Yuri Voinov : > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > My own solution in conjunction with Tor + Privoxy looks like this (Note: > for Squid 3.4.13): > > # Tor acl > acl tor_url url_regex -i "/usr/local/squid/etc/url.tor" > > # SSL bump rules > sslproxy_ce

Re: [squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

Great thanks,I'll try it later. Thanks 2015年7月6日 22:06于 "Yuri Voinov" 写道： > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > My own solution in conjunction with Tor + Privoxy looks like this (Note: > for Squid 3.4.13): > > # Tor acl > acl tor_url url_regex -i "/usr/local/squid/etc/url.tor"

Re: [squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 My own solution in conjunction with Tor + Privoxy looks like this (Note: for Squid 3.4.13): # Tor acl acl tor_url url_regex -i "/usr/local/squid/etc/url.tor" # SSL bump rules sslproxy_cert_error allow all ssl_bump none localhost ssl_bump none url

Re: [squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 And finally: HTTPS is used for malware transmission - and we can't scan it!, for porn viewing, for illegal P2P traffic and others. And we are the paladines in white robes. 06.07.15 19:34, adam900710 пишет: > 2015-07-06 20:06 GMT+08:00 Amos Jeffr

Re: [squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 And also: As long as you stay in the white robes, the whole world supports the illusion of security HTTPS. The world has changed in the eyes of the past three years. And by the way, your branch 3.4 has long been used in commercial solutions. Doing

Re: [squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

2015-07-06 20:06 GMT+08:00 Amos Jeffries : > On 6/07/2015 9:30 p.m., adam900710 wrote: >> >> Here is some of my experiments: >> 1) Remove "never_direct" >> Then ssl_bump works as expected, but all traffic doesn't goes through >> the SOCKS5 proxy. So a lot of sites I can't access. >> >> 2) Use local

Re: [squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 06.07.15 18:06, Amos Jeffries пишет: > On 6/07/2015 9:30 p.m., adam900710 wrote: >> >> Here is some of my experiments: >> 1) Remove "never_direct" >> Then ssl_bump works as expected, but all traffic doesn't goes through >> the SOCKS5 proxy. So a

Re: [squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 06.07.15 18:06, Amos Jeffries пишет: > On 6/07/2015 9:30 p.m., adam900710 wrote: >> >> Here is some of my experiments: >> 1) Remove "never_direct" >> Then ssl_bump works as expected, but all traffic doesn't goes through >> the SOCKS5 proxy. So a

Re: [squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

On 6/07/2015 9:30 p.m., adam900710 wrote: > > Here is some of my experiments: > 1) Remove "never_direct" > Then ssl_bump works as expected, but all traffic doesn't goes through > the SOCKS5 proxy. So a lot of sites I can't access. > > 2) Use local 8118 proxy > That works fine without any problem,

Re: [squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

Forgot some extra infomation: squid build info: --- Squid Cache: Version 3.5.5 Service Name: squid configure options: '--prefix=/usr' '--sbindir=/usr/bin' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--with-logdir=/var/log/squid' '--w

[squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

Hi all, I tried to build a ssl bumping proxy with up level proxy, but client failed to connect like the following. The error: --- $ curl https://www.google.co.jp - -k * Rebuilt URL to: https://www.google.co.jp/ * Trying ::1... * Connected to localhost (::1) port 3128 (#0) * Establish HTTP pro

Re: [squid-users] ssl_bump and SNI

On 4/06/2015 6:29 p.m., sp_ wrote: > Hello Amos, > > thank you for your reply. > > Let's take for instance this line: > > 192.168.78.31 - - [04/Jun/2015:09:41:22 +0300] "CONNECT 173.194.122.233:443 > HTTP/1.1" 200 0 "-" "-" TCP_DENIED:HIER_NONE > > > I have dumped the traffic passing through

Re: [squid-users] ssl_bump and SNI

Hello Amos, thank you for your reply. Let's take for instance this line: I have dumped the traffic passing through the interface on the router during this request. In client hello in Extension "server_name" I can see the domain: According to RFC, domain is a must in Client Hello, when SNI is

Re: [squid-users] ssl_bump and SNI

On 4/06/2015 2:27 a.m., sp_ wrote: > Hello Nathan, > > thank you for an example. > > What version of squid are you running? > Mine is: > > > I've tried to apply the config you've posted, but with no luck. Squid can't > get the domain: > > Well, its not a simple situation. Lets start with cla

Re: [squid-users] ssl_bump and SNI

Hello Nathan, thank you for an example. What version of squid are you running? Mine is: I've tried to apply the config you've posted, but with no luck. Squid can't get the domain: -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-bump-and-SNI-tp4670207

Re: [squid-users] ssl_bump and SNI

On Mon, 2015-06-01 at 12:12 +1000, Nathan Hoad wrote: > Hello, > > Here are some excerpts of what I've used, and an example Python helper: > > https_port 60099 intercept ssl-bump tcpkeepalive > cert=/path/to/cert.pem key=/path/to/key.pem options=NO_SSLv2,NO_SSLv3 > generate-host-certificates=on

Re: [squid-users] ssl_bump and SNI

Hello, Here are some excerpts of what I've used, and an example Python helper: https_port 60099 intercept ssl-bump tcpkeepalive cert=/path/to/cert.pem key=/path/to/key.pem options=NO_SSLv2,NO_SSLv3 generate-host-certificates=on external_acl_type sni ttl=30 concurrency=X children-max=Y children-s

Re: [squid-users] ssl_bump and SNI

On 2015-05-29 08:57 AM, Nathan Hoad wrote: Yes, I have it working on about a dozen deployments so far, using an external ACL to make bumping decisions based on the SNI server name and a few other things. No complaints from me, it Just Works. On 29/05/2015 5:50 pm, "sp_" wrote: Hello, does any

Re: [squid-users] ssl_bump and SNI

Yes, I have it working on about a dozen deployments so far, using an external ACL to make bumping decisions based on the SNI server name and a few other things. No complaints from me, it Just Works. On 29/05/2015 5:50 pm, "sp_" wrote: > Hello, > > does anyone have the working squid 3.5 with inter

Re: [squid-users] ssl_bump and SNI

Hello, does anyone have the working squid 3.5 with intercept + https? I've googled a lot, but seems there is no any positive experience with it. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-bump-and-SNI-tp4670207p4671432.html Sent from the Squid - Us

Re: [squid-users] ssl_bump and SNI

Hi Vadim, I've tried using these options - did not help. I've even tried to add %rd to logs, but still, IPs are show: Vadim Rogoziansky wrote > Hi, > > check something like this > > acl step1 at_step SslBump1 > ssl_bump stare step1 all > > acl sslBumpDeniedDstDomain ssl::server_name google

Re: [squid-users] ssl_bump and SNI

Hi, check something like this acl step1 at_step SslBump1 ssl_bump stare step1 all acl sslBumpDeniedDstDomain ssl::server_name google.com ssl_bump splice sslBumpDeniedDstDomain ssl_bump bump all On 5/20/2015 2:33 PM, sp_ wrote: I have tried to remove all the restrictions, but still: -SP

Re: [squid-users] ssl_bump and SNI

I have tried to remove all the restrictions, but still: -SP -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-bump-and-SNI-tp4670207p4671306.html Sent from the Squid - Users mailing list archive at Nabble.com.

Re: [squid-users] ssl_bump and SNI

On 20/05/2015 8:22 p.m., sp_ wrote: > Hello Amos, > > I still get IP-addresses instead of domain names: > That appears to be because the request are just denied. Not peeked or spliced. When a new TCP connection is intercepted Squid starts with only the IP address. Generates a fake CONNECT reque

Re: [squid-users] ssl_bump and SNI

Hello Amos, I still get IP-addresses instead of domain names: -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-bump-and-SNI-tp4670207p4671299.html Sent from the Squid - Users mailing list archive at Nabble.com. __

Re: [squid-users] ssl_bump and SNI

On 20/05/2015 1:12 a.m., sp_ wrote: > Hi, > > were there any improvements in squid 3.5 recently? > I've tried peek-n-spice again in 3.5.4, but again transparent proxy for > hosts using SNI is not working properly. > > My config for ssl-bump is the following: > > > acl step1 at_step SslBump1 >

Re: [squid-users] ssl_bump and SNI

Hi, were there any improvements in squid 3.5 recently? I've tried peek-n-spice again in 3.5.4, but again transparent proxy for hosts using SNI is not working properly. My config for ssl-bump is the following: -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.

Re: [squid-users] ssl_bump peek in squid-3.5.3

On Fri, 2015-04-24 at 17:14 +0930, Michael Hendrie wrote: > > > > On 23 Apr 2015, at 9:22 pm, James Lay > > wrote: > > > > Michael, > > > > Could you post your entire config here if possible? Many of us > > continue to face challenges with ssl_bump and a working config would > > be great. T

  1   2   >