Re: [squid-users] ssl-bump with url_regex [SOLVED]

I do not think this solution is correct. The SSL_Ports ACL should already contain "443". So the traffic was **not** being blocked by this line: "deny CONNECT !SSL_Ports" AFAICS the lack of URL-path details on the CONNECT request was failing to match the urlpath_regex ACL. FYI; While mos

Re: [squid-users] ssl-bump with url_regex [SOLVED]

Solution: It is the error message 'TCP_DENIED/200 0 CONNECT' wich showed me the way. Directive is too restrictive: http_access deny CONNECT !SSL_ports It works now with: http_access allow CONNECT safe_ports where safe ports are: 80, 443, 1025-65535 (maybe too large)

Re: [squid-users] ssl-bump works, but leads to many client errors being logged (NONE_NONE/200)

Am 14.12.24 um 17:26 schrieb R: My current goal is to set up a caching instance for https static content with squid 6.12. ssl-bump is set up according to https://wiki.squid-cache.org/Features/SslBump and it works fine, at least from the clients' perspectives and without any noticeable issues

Re: [squid-users] ssl-bump works, but leads to many client errors being logged (NONE_NONE/200)

Hello Rod, Not an expert, but from my understanding it seems that your NONE_NONE/200 are all related to a CONNECT. That means it is a SSL Tunnel, which is the initial log of a HTTPS connection when doing ssl_bumping. It is normally followed by another "regular" log, where you can get more informat

Re: [squid-users] SSL Virtual Hosting Problem

On 01/12/23 21:34, Amos Jeffries wrote: On 1/12/23 04:55, Mario Theodoridis wrote: I do have one more problem at this point. Using openssl i can work with what i have below, but i cannot add a 2nd certificate https_port 0.0.0.0:443 accel defaultsite=regify.com \ tls-cert=/etc/ssl/certs/

Re: [squid-users] SSL Virtual Hosting Problem

On 1/12/23 04:55, Mario Theodoridis wrote: I do have one more problem at this point. Using openssl i can work with what i have below, but i cannot add a 2nd certificate https_port 0.0.0.0:443 accel defaultsite=regify.com \     tls-cert=/etc/ssl/certs/regify.com.pem \     tls-cert=/etc/ssl/c

Re: [squid-users] SSL Virtual Hosting Problem

I do have one more problem at this point. Using openssl i can work with what i have below, but i cannot add a 2nd certificate https_port 0.0.0.0:443 accel defaultsite=regify.com \     tls-cert=/etc/ssl/certs/regify.com.pem \     tls-cert=/etc/ssl/certs/foo.com.pem gives me ERROR: OpenSSL doe

Re: [squid-users] SSL Virtual Hosting Problem

Thank you Amos and Alex, this is a config i managed to get working for http and https acl SSL_ports port 443 acl Safe_ports port 80  # http acl Safe_ports port 443 # https # listeners https_port 0.0.0.0:443 accel defaultsite=regify.com \     tls-cert=/etc/ssl/certs/regify.com.p

Re: [squid-users] SSL Virtual Hosting Problem

On 2023-11-28 05:29, Mario Theodoridis wrote: Hello everyone, i'm trying to use squid as a TLS virtual hosting proxy on a system with a public IP in front of several internal systems running TLS web servers. I would like to proxy the incoming connections to the appropriate backend servers ba

Re: [squid-users] SSL Virtual Hosting Problem

On 28/11/23 23:29, Mario Theodoridis wrote: Hello everyone, i'm trying to use squid as a TLS virtual hosting proxy on a system with a public IP in front of several internal systems running TLS web servers. I would like to proxy the incoming connections to the appropriate backend servers base

Re: [squid-users] ssl-bump peek and select pinned destination failed

On 2023-09-20 04:17, linfengfeiye wrote: Hi, what does "PeerSelector186 found pinned, destination" that appears in the Squid log mean? Please note that Squid debugging logs (cache.log at level 3 and above) are for developer use. This mailing list is not. In triage, I recommend focusing on acc

Re: [squid-users] ssl-bump strange behaviour with incomplete config

On 2023-09-13 12:47, sq...@iotti.biz wrote: I'm only peeking as long as possible, and then splice at step3. I got the regular Squid access denied screen (and this is right, since the CONNECT is not allowed) but in access.log I find: 2023-09-13T17:12:52.855+0200 12 192.168.1.179 TCP_DENIED/

Re: [squid-users] ssl-bump connect issues

Hey, thank you for your response. >> The logs show that clients did issue a CONNECT, however the connections are >> stuck (and eventually timeout) and netstat is showing exactly 10 connections >> in SYN_SENT state towards npm registry. I am kinda puzzled, where this >> number comes from. > >

Re: [squid-users] ssl-bump connect issues

On 23/05/22 17:41, Jernej Porenta wrote: The logs show that clients did issue a CONNECT, however the connections are stuck (and eventually timeout) and netstat is showing exactly 10 connections in SYN_SENT state towards npm registry. I am kinda puzzled, where this number comes from. This

Re: [squid-users] SSL Terminating Reverse Proxy with Referral Tracking

On 15/09/21 1:21 pm, Grant Taylor wrote: On 9/14/21 6:09 PM, Amos Jeffries wrote: b) If those upstream servers are embedding URLs for clients to directly contact the XaaS services. Then your desire is not possible without redesigning the upstream service(s) such that they stop exposing their u

Re: [squid-users] SSL Terminating Reverse Proxy with Referral Tracking

On 9/14/21 6:09 PM, Amos Jeffries wrote: b) If those upstream servers are embedding URLs for clients to directly contact the XaaS services. Then your desire is not possible without redesigning the upstream service(s) such that they stop exposing their use of the XaaS. Which often also means red

Re: [squid-users] SSL Terminating Reverse Proxy with Referral Tracking

On 9/14/21 7:12 PM, Grant Taylor wrote: I have concerns about "SSL terminating".  It sounds to me like you are decidedly outside of the typical enterprise or home network scenario where you are wanting to terminate / intercept / bump-in-the-wire TLS connections.  As such, I have *SERIOUS* /conc

Re: [squid-users] SSL Terminating Reverse Proxy with Referral Tracking

On 9/12/21 10:16 PM, Mehrdad Fatemi wrote: Hi Everyone, Hi, TL;DR: Proxy Auto Configuration I'm looking for an elegant technology option to have telcos zero-rate all of the traffic to a set of online destinations. I assume that "zero rating" means that specific destinations, e.g. the pro

Re: [squid-users] SSL Terminating Reverse Proxy with Referral Tracking

On 13/09/21 4:16 pm, Mehrdad Fatemi wrote: Hi Everyone, I'm looking for an elegant technology option to have telcos zero-rate all of the traffic to a set of online destinations. Can you clarify what you mean exactly by "zero rate" ? What does it have to do with actions the proxy is performing

Re: [squid-users] SSL handshake

@lists.squid-cache.org Subject: Re: [squid-users] SSL handshake On 8/8/21 1:48 AM, senor wrote: > Can you point to a patch under test or other changes that we can use > to alleviate this pain? I will probably regret sharing this unfinished work, but our current changes can be found at [1]. A F

Re: [squid-users] SSL handshake

ix for the official review ASAP. My current ballpark ETA for that is ~6 weeks. HTH, Alex. > From: squid-users on behalf of > Alex Rousskov > Sent: Tuesday, August 3, 2021 1:04 PM > To: squid-users@lists.squid-cache.org > Subject: Re: [squid-users] SSL handshake > >

Re: [squid-users] SSL handshake

1:04 PM To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] SSL handshake FWIW, Factory can reproduce this (popular origin server) problem with and without Squid. We are adding a Squid enhancement that will work around the problem (and improve TLS support in general). Alex. > c

Re: [squid-users] SSL handshake

FWIW, Factory can reproduce this (popular origin server) problem with and without Squid. We are adding a Squid enhancement that will work around the problem (and improve TLS support in general). Alex. > curl: (35) error:1423506E:SSL routines:ssl_next_proto_validate:bad extension

Re: [squid-users] SSL handshake

Hi, I don't know if my situation is like Nishant's, but today my issues have gone away without intervention on my behalf. I'm guessing the cause was on the remote server's side or some in-between SSL inspection... Thanks, Vieri ___ squid-users mailin

Re: [squid-users] SSL handshake

On 27/07/21 9:15 pm, Vieri wrote: > > I have not changed anything in the OS so it might be because of change in the > remote web service. > It might be that my openssl version is already too old (1.1.1g), and that the > web site forces the use of an unsupported cypher? I have also observed it o

Re: [squid-users] SSL handshake

On 7/27/21 11:45 AM, Vieri wrote: > Just recently I've noticed that LAN clients going through Squid with sslbump > are all of a sudden unable to access certain HTTPS sites such as > login.yahoo.com. > The squid log has lines like: > > kid1| 4,3| Error.cc(22) update: recent: > ERR_SECURE_CONNEC

Re: [squid-users] SSL BUMP

On 2021-05-10 22:26, Stephane Simon wrote: Hello, I try to configure https with ssl bump. I use redhat 8. i follow https://blog.microlinux.fr/squid-https-centos-7/ when i restart squid, he doesn't cooperate and say: "FATAL: The usr/lib64/squid/security_file_certgen -s /var/lib/squid/ssl_db -M

Re: [squid-users] SSL Squid 5 Cipher suite ordering issue

On 2/4/21 10:32 AM, Prem Chand wrote: > I'm running SSL squid 5 on Centos 8 and I could see Cipher Suites order > changes when I access the below website through Squid and without using > squid I'm getting correct order. > > https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html > > I wan

Re: [squid-users] SSL-BUMP 5.0.4 not working as expected

On 1/2/21 3:08 PM, ngtech1...@gmail.com wrote: > I am trying to configure 5.0.4 with sslbump to bump only a set of domains. > * Should I bump all connections with exceptions? > * Should I bump non else then the exceptions? > * Based on server_name regex and/or server_name domains Policy-wis

Re: [squid-users] SSL-BUMP 5.0.4 not working as expected

Comments bellow -Original Message- From: squid-users On Behalf Of Amos Jeffries Sent: Sunday, January 3, 2021 9:12 AM To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] SSL-BUMP 5.0.4 not working as expected On 3/01/21 9:08 am, ngtech1ltd wrote: > I am trying to config

Re: [squid-users] SSL-BUMP 5.0.4 not working as expected

On 3/01/21 9:08 am, ngtech1ltd wrote: I am trying to configure 5.0.4 with sslbump to bump only a set of domains. I am unsure about the right way it should be done. The basic constrains are POLICY vs a set of rules. * Should I bump all connections with exceptions? * Should I bump non else t

Re: [squid-users] SSL issue on Squid version 4 after blacklisting

https://bugs.squid-cache.org/createaccount.cgi Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1...@gmail.com From: DIXIT Ankit Sent: Tuesday, October 20, 2020 8:02 PM To: Eliezer Croitor Cc: 'Squid Users' Subject: RE: SSL issue

Re: [squid-users] SSL issue on Squid version 4 after blacklisting

On 10/19/20 1:16 PM, Eliezer Croitor wrote: > To get a response you would need to respond in the Bugzilla. > Maybe Alex might be able to answer some of your questions about the subject. FWIW, the October 19 email from Ankit Dixit (quoted below) did not reach me. It probably did not reach others o

Re: [squid-users] SSL issue on Squid version 4 after blacklisting

Hey Dixit, To get a response you would need to respond in the Bugzilla. Maybe Alex might be able to answer some of your questions about the subject. All The Bests, Eliezer Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1...@gmail.com

Re: [squid-users] SSL issue on Squid version 4 after blacklisting

Hey Dixit, Have you seen the next bug report: https://bugs.squid-cache.org/show_bug.cgi?id=5067#c4 Alex/Amos: I assume that this specific issue deserve a DEBUG which will describe and relate to this BUG:5067 report. Eliezer Eliezer Croitoru Tech Support Mobile: +972-5-2870

Re: [squid-users] SSL on different ports

Hi Amos, > You are referring to the SSL_ports ACL ? Yes. Got your point. Thanks for the clarification Ronan On Wed, Oct 7, 2020 at 4:55 PM Amos Jeffries wrote: > > On 7/10/20 2:16 pm, Ronan Lucio wrote: > > Hi, > > > > By default, Squid accepts SSL connection only to port 443. > > You are ref

Re: [squid-users] SSL on different ports

On 7/10/20 2:16 pm, Ronan Lucio wrote: > Hi, > > By default, Squid accepts SSL connection only to port 443. You are referring to the SSL_ports ACL ? That does not mean accepting SSL connections. Only that the port is known to be used primarily for SSL. So that opening opaque CONNECT tunnels ther

Re: [squid-users] SSL issue on Squid version 4 after blacklisting

Hey, First of all you need to know who is contacting and what is the other end of the connection. It’s possible that the certificate is invalid. If you do have the remote service/server name and ip address you can try to resolve this issue by “creating” a set of certificates your service ca

Re: [squid-users] SSL Bump: I have weekly more sites to whitelist due to HTTP Error 403 on opening site content

On 28/08/20 8:12 pm, i...@schroeffu.ch wrote: > > Hi Squid Community, > > the last weeks it felt that more and more websites are going to be > "incompatible" with Squid SSL bump. "feelings" aside, that is exactly the situation. SSL-Bump is literally a security attack on clients traffic. Exactly

Re: [squid-users] ssl proxy and decrypted forwarding

w a similar old squid-users thread: http://lists.squid-cache.org/pipermail/squid-users/2016-September/012689.html HTH, Alex. > - Original Message - > From: "Alex Rousskov" > To: "Sam Castellano" , "squid-users" > > Sent: Friday, April 17, 2

Re: [squid-users] ssl proxy and decrypted forwarding

;Alex Rousskov" To: "Sam Castellano" , "squid-users" Sent: Friday, April 17, 2020 11:49:13 AM Subject: Re: [squid-users] ssl proxy and decrypted forwarding On 4/17/20 11:22 AM, Sam Castellano wrote: > My question relates to ssl bumping and potentially Icap/Ecap >

Re: [squid-users] ssl proxy and decrypted forwarding

On 4/17/20 11:22 AM, Sam Castellano wrote: > My question relates to ssl bumping and potentially Icap/Ecap > functionality. I currently have ssl bump/ interception working and > communicating with a local ICAP server. Im trying to understand the > process of how the decrypted data gets sent to the

Re: [squid-users] ssl bump and url_rewrite_program (like squidguard)

Hi, Sorry for the noise. In fact, it works. It's just squid couldn't connect to the local cgi page (while it could for squidclamav), and then did its best that was rather strange. I confirm "url_rewrite_access deny CONNECT" works like a charm to avoid redirection during connection establishm

Re: [squid-users] ssl bump and url_rewrite_program (like squidguard)

Hi all, I know it's an old subject but I come back on it as I moved my old proxy server to Debian Buster. I now have a 4.10 version from git. Here are my last tests regarding this subject :  * Using c-icap for virus detection works well. I mean if I download a virus from an HTTPS server like

Re: [squid-users] ssl::server_name_regex with multiple domains

done #allow SSL cert acl DiscoverSNIHost at_step SslBump1 acl NoSSLIntercept ssl::server_name_regex -i "/usr/local/squid/etc/pubkey.txt" ssl_bump splice NoSSLIntercept ssl_bump peek DiscoverSNIHost ssl_bump bump all in my pubkey.txt .microsoft.com .adobe.com On Wed, 15 Jan 2020 at 00:12, robert

Re: [squid-users] ssl negotiation error

On 3/12/19 12:19 am, robert k Wild wrote: > hi all, > > managed to get squid to work at last and i can browse all website when > my browser is going through the proxy but when i run squid i see a bunch > of errors and i havnt got a clue what its about - > You will need a packet trace on the Squi

Re: [squid-users] ssl bump intermediate certificate

All of the "CA" entries in that purposes list say "No". So this is not a CA certificate, it is an origin server certificate. It can only be used to receive explicit TLS proxy or HTTPS origin server traffic. Amos Sent from my alcatel U5 ___ squid-user

Re: [squid-users] ssl bump intermediate certificate

All of the "CA" entries in that purposes list say "No". So this is not a CA certificate, it is an origin server certificate. It can only be used to receive explicit TLS proxy or HTTPS origin server traffic. Amos Sent from my alcatel U5 ___ squid-user

Re: [squid-users] ssl bump intermediate certificate

Hello, I already tried adding root ca to the pem file int the cert= option. But it had no effect. the squid -k parse seems good point. I got: Ignoring non-issuer CA from /etc/squid/bump-CA/bump-ca.crt If I add the root ca, that one is reported to be added, but still ignoring the bump ca. Why is

Re: [squid-users] ssl bump intermediate certificate

On 31/10/19 9:49 am, Marek Greško wrote: > Hello, > > Matus, I also found the document. It should be sending the chain, but > is not. When I specify cafile option it responds I shoud use > tls-cafile. But in either case it is not sending. > > Walter, if squid has such requirement, then it is unfi

Re: [squid-users] ssl bump intermediate certificate

Hello, Matus, I also found the document. It should be sending the chain, but is not. When I specify cafile option it responds I shoud use tls-cafile. But in either case it is not sending. Walter, if squid has such requirement, then it is unfinished. Every other proxy is able to run its CA as an i

Re: [squid-users] ssl bump intermediate certificate

On 30.10.2019 05:59, Marek Greško wrote: I am trying to configure ssl bumping on squid 4.8 but my browser is not able to validate the certificate due to intermediate certificate missing. How could I convince squid to send it? On 30.10.19 10:11, Walter H. wrote: the ssl-bum certificate is either

Re: [squid-users] ssl bump intermediate certificate

On 30.10.2019 05:59, Marek Greško wrote: Hello, I am trying to configure ssl bumping on squid 4.8 but my browser is not able to validate the certificate due to intermediate certificate missing. How could I convince squid to send it? Thanks Marek the ssl-bum certificate is either a root certifi

Re: [squid-users] SSL negotiation errors on https_port

On 10/17/19 4:52 PM, Robert wrote: > I see many lines like these in the cache.log file: > 2019/10/17 22:38:33.552 kid1| Error negotiating SSL connection on FD 44: > error:0001:lib(0):func(0):reason(1) (1/-1) OpenSSL refused to accept a TLS client connection with a generic SSL_ERROR_SSL:

Re: [squid-users] SSL termination problem - squid's requests using https

On Wed, Sep 18, 2019 at 7:11 AM Amos Jeffries wrote: > > > All these *_port things are a red herring. The initial problem was > connections to the origin server using HTTPS. > > Connections to originserver peer do not send URL scheme, and use the > settings on the cache_peer directive as the proto

Re: [squid-users] SSL termination problem - squid's requests using https

On 18/09/19 10:22 am, Alex Rousskov wrote: > On 9/17/19 5:02 PM, Sam Holden wrote: > >> When I have protocol=http is reports: >> 2019/09/17 20:08:55| Accepting reverse-proxy HTTP Socket connections > >> When I don't set the protocol is reports: >> 2019/09/17 20:17:38| Accepting reverse-proxy HTTP

Re: [squid-users] SSL termination problem - squid's requests using https

On 9/17/19 5:02 PM, Sam Holden wrote: > When I have protocol=http is reports: > 2019/09/17 20:08:55| Accepting reverse-proxy HTTP Socket connections > When I don't set the protocol is reports: > 2019/09/17 20:17:38| Accepting reverse-proxy HTTPS Socket connections > So it seems to be following t

Re: [squid-users] SSL termination problem - squid's requests using https

On Tue, Sep 17, 2019 at 4:07 PM Alex Rousskov wrote: > > On 9/17/19 2:07 PM, Sam Holden wrote: > > > https_port 4277 accel ... protocol=http > > > sees port 4227 act as an http port (no ssl) > > Assuming you meant "4277" when you said "4227" (or vice versa), your > statement sounds like an indicat

Re: [squid-users] SSL termination problem - squid's requests using https

On 9/17/19 2:07 PM, Sam Holden wrote: > https_port 4277 accel ... protocol=http > sees port 4227 act as an http port (no ssl) Assuming you meant "4277" when you said "4227" (or vice versa), your statement sounds like an indication of a Squid bug to me: The "protocol" option is documented to affe

Re: [squid-users] SSL Bump with HTTP Cache Peer Parent

Alex, >The feature has already been rejected from the official v4 inclusion >because the underlying changes are too big/risky for that branch. I see. I understood that the v4 won't be able to support it. Anyway, when will you release v5 officially ? Regards, -- Mikio Kishi On Mon, Jul 15, 2019

Re: [squid-users] SSL Bump with HTTP Cache Peer Parent

On 7/14/19 10:51 AM, mikio.ki...@gmail.com wrote: >>In addition to what Amos has said, you may be interested in the v4 patch >>described at https://bugs.squid-cache.org/show_bug.cgi?id=4968#c1 > Do you have plan to support above officially ? The feature has already been rejected from the officia

Re: [squid-users] SSL Bump with HTTP Cache Peer Parent

Alex, Thank you for your reply. >In addition to what Amos has said, you may be interested in the v4 patch >described at https://bugs.squid-cache.org/show_bug.cgi?id=4968#c1 Do you have plan to support above officially ? Regards, -- Mikio Kishi On Sun, Jul 14, 2019 at 9:58 PM Alex Rousskov < ro

Re: [squid-users] SSL Bump with HTTP Cache Peer Parent

On 7/14/19 3:35 AM, Amos Jeffries wrote: > On 14/07/19 5:33 pm, mikio.kishi wrote: >> Hi all, >> >>  https://www.spinics.net/lists/squid/msg90523.html >> >> As mentioned in the above URL, I would like to use "SSL Bump with HTTP >> Cache Peer Parent" as well. >> However, still seems not be supported

Re: [squid-users] SSL Bump with HTTP Cache Peer Parent

On 14/07/19 5:33 pm, mikio.kishi wrote: > Hi all, > >  https://www.spinics.net/lists/squid/msg90523.html > > As mentioned in the above URL, I would like to use "SSL Bump with HTTP > Cache Peer Parent" as well. > However, still seems not be supported like the following. > ... > > Do you have any

Re: [squid-users] SSL Accel Connection Reset

Hi Robert, How did you resolve this issue? From what I read curl doesn't support https proxy till version 7.52.0 I'm running into similar problem where my machine is sending plaintext CONNECT to the https proxy instead of starting a TLS handshake. I'm using python urlib2 but I also used curl pre 7.

Re: [squid-users] ssl bump

On 28/02/19 2:31 am, leomessi983 wrote: > Hi all > Can i use this conf only for blocking purpose?! You could. I suggest you keep the default security Safe_ports and SSL_ports ACL and http_access rules though. They exist to protect your proxy against malicious attacks and Dos situations. Your cus

Re: [squid-users] ssl-bump does not redirect to block page

On 2/12/19 11:22 PM, leomessi...@yahoo.com wrote: > Actually i don't understand if it could be done or not!! And I do not know what you mean by "it" here. * Can Squid send a blocking error page to an HTTPS client? Yes. * Will the browser show that error page to the user without any additional w

Re: [squid-users] ssl-bump does not redirect to block page

On 14/02/19 1:10 am, leomessi983 wrote: > I use this configuration to solve my problem. > Whit this configuration at first step I use bump action for sites that i > want to block and show ACCESS_DENIED page then splice all other requests!! > My problem in this config is when my clients want to see

Re: [squid-users] ssl-bump does not redirect to block page

... URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190212/8311d242/attachment-0001.html> -- Message: 2 Date: Tue, 12 Feb 2019 08:04:08 -0700 From: Alex Rousskov To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] ssl-bump does

Re: [squid-users] ssl-bump does not redirect to block page

>> aka the 'bump' action. > This part is misleading: Modern Squids _automatically_ bump connections > to report [access denied] errors -- no explicit bump action is required > (or even desirable). I do not know whether> * that bumping does not happen > for leo (e.g., due to Squid bugs), or > * i

Re: [squid-users] ssl-bump does not redirect to block page

On 2/12/19 7:21 AM, leomessi...@yahoo.com wrote: > Do i have to use CA and Certificate configuration if i want to block > only HTTPS requests with splice action?! IIRC, you currently need a CA certificate if you want to use SslBump, regardless of the SslBump actions in use. In some ways, this is

Re: [squid-users] ssl-bump does not redirect to block page

On 2/6/19 12:57 PM, Amos Jeffries wrote: > On 7/02/19 3:52 am, leo messi wrote: >> My squid config is something like this: >> acl blk ssl::server_name .google.com >> http_access deny blk >> http_access allow all >> ssl_bump peek step1 >> ssl_bump splice all >> My problem is when i block some page

Re: [squid-users] ssl-bump does not redirect to block page

On 7/02/19 3:52 am, leo messi wrote: > Hi > My squid config is something like this: > acl blk ssl::server_name .google.com > http_access deny blk > http_access allow all > ... > > acl step1 at_step SslBump1 > ssl_bump peek step1 > ssl_bump splice all > > > My problem is when i block some pages

Re: [squid-users] ssl bump, CA certificate renewal, how to?

-users On Behalf Of Bruno de Paula Larini Sent: Tuesday, January 15, 2019 19:33 To: squid-us...@squid-cache.org Subject: Re: [squid-users] ssl bump, CA certificate renewal, how to? Em 15/01/2019 15:01, Dmitry Melekhov escreveu: > > 5 years, really, not very long period of time, if I'll

Re: [squid-users] ssl bump, CA certificate renewal, how to?

15.01.2019 21:33, Bruno de Paula Larini пишет: Em 15/01/2019 15:01, Dmitry Melekhov escreveu: 5 years, really, not very long period of time, if I'll be sure to not work here in 5 years then I'll use this ;-) , unfortunately I'm not :-( I don't need to replace certificate every year or so, bu

Re: [squid-users] ssl bump, CA certificate renewal, how to?

Em 15/01/2019 15:01, Dmitry Melekhov escreveu: 5 years, really, not very long period of time, if I'll be sure to not work here in 5 years then I'll use this ;-) , unfortunately I'm not :-( I don't need to replace certificate every year or so, but I need to have minimal service interruption f

Re: [squid-users] ssl bump, CA certificate renewal, how to?

Sorry wrong topic Le 15/01/2019 à 18:08, FredB a écrit : Now squid can get directly the intermediate CA as a browser does, it's a very interesting feature to me Maybe I'm missing something, but I can see the request from squid now (with squid 4) it's a good point, my sslbump config is very ba

Re: [squid-users] ssl bump, CA certificate renewal, how to?

Now squid can get directly the intermediate CA as a browser does, it's a very interesting feature to me Maybe I'm missing something, but I can see the request from squid now (with squid 4) it's a good point, my sslbump config is very basic, perhaps to basic cl step at_step SslBump1 ssl_bump

Re: [squid-users] ssl bump, CA certificate renewal, how to?

15.01.2019 20:52, elie...@ngtech.co.il пишет: With squid 4.x or even 3.5 you can use an intermediate CA. So you will have the root key and certificate somewhere safe and renew the intermediate root CA every year or two. The main root CA should be created at-least for a period of 5 years to

Re: [squid-users] ssl bump, CA certificate renewal, how to?

With squid 4.x or even 3.5 you can use an intermediate CA. So you will have the root key and certificate somewhere safe and renew the intermediate root CA every year or two. The main root CA should be created at-least for a period of 5 years to allow this dynamicity you probably need. Eliezer

Re: [squid-users] SSL / TLS

On 12/20/18 3:06 AM, Squid users wrote: > Slightly off topic but am I correct in thinking TLS supersedes SSL? Yes, the protocol name has changed. Newer versions are called TLS. However, please keep in mind that the term "SSL" is commonly used to describe "secure" connections and related technolog

Re: [squid-users] SSL / TLS

On Thursday 20 December 2018 at 11:06:58, Squid users wrote: > Slightly off topic but am I correct in thinking TLS supersedes SSL? Short answer: yes. Long answer: https://en.wikipedia.org/wiki/Transport_Layer_Security Antony. -- #define SIX 1+5 #define NINE 8+1 int main() { printf("%d\n

Re: [squid-users] SSL Bump with HTTP Cache Peer Parent

On 13/12/18 2:12 pm, Amos Jeffries wrote: [ please keep the traffic on-list. If you want private assistance I do consult for a small fee. ] On 13/12/18 2:51 pm, Sam Handley wrote: On 13/12/18 12:00 pm, Amos Jeffries wrote: Thank you for your reply, it seems adding in an extra step could solv

Re: [squid-users] SSL Bump with HTTP Cache Peer Parent

[ please keep the traffic on-list. If you want private assistance I do consult for a small fee. ] On 13/12/18 2:51 pm, Sam Handley wrote: > On 13/12/18 12:00 pm, Amos Jeffries wrote: > > Thank you for your reply, it seems adding in an extra step could solve it, > even if not ideal. > Just a few

Re: [squid-users] SSL Bump with HTTP Cache Peer Parent

On 13/12/18 12:15 pm, sam.handley wrote: > I am not 100% confident what I am asking is possible but I'd love it to be > confirmed. > > Here is what our setup would look like, I’ve explained a bit below: > > DEVICE ---> PRX3 (HTTPS CACHE) ---> PRX2 ---> PRX1 ---> INTERNET > > Our current environm

Re: [squid-users] SSL reverse proxy cert error

On 5/09/18 4:05 PM, Hariharan Sethuraman wrote: > Hi All, > > I have my https_port 443 in reverse proxy. When client sends a GET > request, the rewrite correctly rewrites the URL and that rewritten GET > request fails with below error. > 2018/09/05 03:03:38| Error negotiating SSL on FD 15: error:1

Re: [squid-users] SSL errors with Squid 3.5.27 [SOLVED]

Hi all, Problem solved. With squid 4 openssl 1.1 I realized that WhatsApp use the following ports: 5223, 5228, 4244, 5242, and 5222 in addition to 443, 80. So I opened that ports on the firewall and everythhing worked. Also I changed the cipher suite in squid.conf like this: (for the dropbox

Re: [squid-users] SSL errors with Squid 3.5.27

Hi all: Finally I migrate everything to debian 9 with openssl 1.1 and squid 4 (june 22/18) reléase (the last one). Everything seems to go very well. However, the dropbox client logs this error in cache.log: kid1| ERROR: negotiating TLS on FD 35: error:141710F8:SSL routines:tls_process_server_

Re: [squid-users] SSL errors with Squid 3.5.27

Googling i foind this cfg lines: acl SSLERR ssl_error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN sslproxy_cert_error allow SSLERR sslproxy_cert_error deny all The error " certificate verify failed has deissappeared, I refer to this error: routines:CONNECT_CR_

Re: [squid-users] SSL errors with Squid 3.5.27

have you tried -servername option for setting SNI extension? On 18.06.18 08:31, Julian Perconti wrote: How can i do this? man s_client:\ -servername name Set the TLS SNI (Server Name Indication) extension in the ClientHello message. -- Matus UHLAR - fantomas, uh

Re: [squid-users] SSL errors with Squid 3.5.27

> have you tried -servername option for setting SNI extension? How can i do this? Well, debbuging cache.log i found this: 2018/06/18 08:22:08.822 kid1| 83,5| support.cc(300) ssl_verify_cb: Self signed certificate in certificate chain: /CN=courier.push.apple.com/O=Apple Inc./ST=California/C=U

Re: [squid-users] SSL errors with Squid 3.5.27

On 13.06.18 18:20, Julian Perconti wrote: Does not shows any cert and establishes a connection with TLS 1.2... openssl s_client -connect 31.13.94.54:443 CONNECTED(0003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 by

Re: [squid-users] SSL errors with Squid 3.5.27

On 14/06/18 09:20, Julian Perconti wrote: > > # > Here a example: > # > > openssl s_client -connect 31.13.94.54:443 > CONNECTED(0003) > write:errno=104 > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 0 bytes and written

Re: [squid-users] SSL errors with Squid 3.5.27

On 13/06/18 07:54, Julian Perconti wrote: >> Interesting. >> >> The main issue was that you configured only params for the Diffi-Helman (DH >> and DHE) ciphers - no >curve name. That meant your specified EEC* ciphers >> were disabled since they require a curve name as >well. >> >> Removing this o

Re: [squid-users] SSL errors with Squid 3.5.27

ag 12 juni 2018 21:55 > Aan: squid-users@lists.squid-cache.org > Onderwerp: Re: [squid-users] SSL errors with Squid 3.5.27 > > >Interesting. > > > >The main issue was that you configured only params for the > Diffi-Helman (DH and DHE) ciphers - no >curve name

Re: [squid-users] SSL errors with Squid 3.5.27

>Interesting. > >The main issue was that you configured only params for the Diffi-Helman (DH >and DHE) ciphers - no >curve name. That meant your specified EEC* ciphers were >disabled since they require a curve name as >well. > >Removing this option completely disables both DH and ECDH cipher type

Re: [squid-users] SSL errors with Squid 3.5.27

On 10/06/18 20:42, Walter H. wrote: > On 10.06.2018 08:49, Amos Jeffries wrote: >> >> Interesting. >> >> The main issue was that you configured only params for the Diffi-Helman >> (DH and DHE) ciphers - no curve name. That meant your specified EEC* >> ciphers were disabled since they require a curv

Re: [squid-users] SSL errors with Squid 3.5.27

On 10.06.2018 08:49, Amos Jeffries wrote: Interesting. The main issue was that you configured only params for the Diffi-Helman (DH and DHE) ciphers - no curve name. That meant your specified EEC* ciphers were disabled since they require a curve name as well. Removing this option completely dis

Re: [squid-users] SSL errors with Squid 3.5.27

On 10/06/18 03:46, Julian Perconti wrote: >>> https_port 3130 intercept ssl-bump \ >>> cert=/etc/squid/ssl_cert/squidCA.pem \ >>> key=/etc/squid/ssl_cert/squidCA.pem \ >>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB >>> tls-dh=/etc/squid/ssl_cert/dhparam.pem >> >> These DH

Re: [squid-users] SSL errors with Squid 3.5.27

>> https_port 3130 intercept ssl-bump \ >> cert=/etc/squid/ssl_cert/squidCA.pem \ >> key=/etc/squid/ssl_cert/squidCA.pem \ >> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB >> tls-dh=/etc/squid/ssl_cert/dhparam.pem > >These DH parameters are for old DH not for ECDHE (missing c

  1   2   3   4   5   >