On 11/2/18 3:47 AM, Sid wrote:
> tls_outgoing_options \
>default-ca=off \
>cafile=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \
>options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE \
> Only issue is Squid sends:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/file/t377591/2018-1
Thank you Amos and Alex for great help & support so far.
As per suggestions I have added lot more parameters in squid.conf for both
"http" & "tls_outgoing_options" directives:
http_port 3128 ssl-bump \
tls-cert=/usr/local/squid/etc/ssl_cert/myCA.pem \
cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LO
On 10/31/18 10:55 PM, Sid wrote:
> Actually in my case Server is looking for a certificate to be sent by
> client; How to configure Squid to get
> this certificate from client for mutual authentication?
It is technically impossible to meaningfully forward a client
certificate to the origin server
On 1/11/18 5:55 PM, Sid wrote:
> Thank you Alex.
>
>> Sounds good. Does the generated fake certificate contain the right origin
> server name?
> Sid: Yes, It does contain correct IP Address in Server name sent by client.
>
Alex asked about *name*. IP address is not part of the considerations
b
Thank you Alex.
>Sounds good. Does the generated fake certificate contain the right origin
server name?
Sid: Yes, It does contain correct IP Address in Server name sent by client.
>Why do you expect the client to send a client certificate to Squid? In most
deployments, TLS servers do not reque
On 10/30/18 10:59 PM, Sid wrote:
> Sid: I took wireshark on Squid server (centOS 7); I took 2 wiresharks
> between Client & Squid and then between Squid & Server. I can see client
> being sent fake cert generated by Squid & client responds with "Client key
> Exchange", "Change cipher spec", "Encry
Thank you Alex for the reply.
Alex: 1. Servers never send SNI. Clients usually send SNI. Squid should
forward SNI it received from the client to the server, provided the client
actually sent SNI. Did your client send SNI?
Sid: I can see in Client Hello IP Address being sent by Client; so there
On 10/30/18 2:36 AM, Sid wrote:
> http_port 3128 ssl-bump \
> cert=/usr/local/squid/etc/ssl_cert/myCA.pem \
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> ssl_bump peek step1
> ssl_bump bump all
> Browser & HTTP UA Client connections are working with SSL bump properly
