Re: [squid-users] ssl-bump with url_regex [SOLVED]

I do not think this solution is correct. The SSL_Ports ACL should already contain "443". So the traffic was **not** being blocked by this line: "deny CONNECT !SSL_Ports" AFAICS the lack of URL-path details on the CONNECT request was failing to match the urlpath_regex ACL. FYI; While mos

Re: [squid-users] ssl-bump with url_regex [SOLVED]

Solution: It is the error message 'TCP_DENIED/200 0 CONNECT' wich showed me the way. Directive is too restrictive: http_access deny CONNECT !SSL_ports It works now with: http_access allow CONNECT safe_ports where safe ports are: 80, 443, 1025-65535 (maybe too large)

Re: [squid-users] ssl-bump works, but leads to many client errors being logged (NONE_NONE/200)

Am 14.12.24 um 17:26 schrieb R: My current goal is to set up a caching instance for https static content with squid 6.12. ssl-bump is set up according to https://wiki.squid-cache.org/Features/SslBump and it works fine, at least from the clients' perspectives and without any noticeable issues

Re: [squid-users] ssl-bump works, but leads to many client errors being logged (NONE_NONE/200)

Hello Rod, Not an expert, but from my understanding it seems that your NONE_NONE/200 are all related to a CONNECT. That means it is a SSL Tunnel, which is the initial log of a HTTPS connection when doing ssl_bumping. It is normally followed by another "regular" log, where you can get more informat

Re: [squid-users] ssl-bump peek and select pinned destination failed

On 2023-09-20 04:17, linfengfeiye wrote: Hi, what does "PeerSelector186 found pinned, destination" that appears in the Squid log mean? Please note that Squid debugging logs (cache.log at level 3 and above) are for developer use. This mailing list is not. In triage, I recommend focusing on acc

Re: [squid-users] ssl-bump strange behaviour with incomplete config

On 2023-09-13 12:47, sq...@iotti.biz wrote: I'm only peeking as long as possible, and then splice at step3. I got the regular Squid access denied screen (and this is right, since the CONNECT is not allowed) but in access.log I find: 2023-09-13T17:12:52.855+0200 12 192.168.1.179 TCP_DENIED/

Re: [squid-users] ssl-bump connect issues

Hey, thank you for your response. >> The logs show that clients did issue a CONNECT, however the connections are >> stuck (and eventually timeout) and netstat is showing exactly 10 connections >> in SYN_SENT state towards npm registry. I am kinda puzzled, where this >> number comes from. > >

Re: [squid-users] ssl-bump connect issues

On 23/05/22 17:41, Jernej Porenta wrote: The logs show that clients did issue a CONNECT, however the connections are stuck (and eventually timeout) and netstat is showing exactly 10 connections in SYN_SENT state towards npm registry. I am kinda puzzled, where this number comes from. This

Re: [squid-users] SSL BUMP

On 2021-05-10 22:26, Stephane Simon wrote: Hello, I try to configure https with ssl bump. I use redhat 8. i follow https://blog.microlinux.fr/squid-https-centos-7/ when i restart squid, he doesn't cooperate and say: "FATAL: The usr/lib64/squid/security_file_certgen -s /var/lib/squid/ssl_db -M

Re: [squid-users] SSL-BUMP 5.0.4 not working as expected

On 1/2/21 3:08 PM, ngtech1...@gmail.com wrote: > I am trying to configure 5.0.4 with sslbump to bump only a set of domains. > * Should I bump all connections with exceptions? > * Should I bump non else then the exceptions? > * Based on server_name regex and/or server_name domains Policy-wis

Re: [squid-users] SSL-BUMP 5.0.4 not working as expected

Comments bellow -Original Message- From: squid-users On Behalf Of Amos Jeffries Sent: Sunday, January 3, 2021 9:12 AM To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] SSL-BUMP 5.0.4 not working as expected On 3/01/21 9:08 am, ngtech1ltd wrote: > I am trying to config

Re: [squid-users] SSL-BUMP 5.0.4 not working as expected

On 3/01/21 9:08 am, ngtech1ltd wrote: I am trying to configure 5.0.4 with sslbump to bump only a set of domains. I am unsure about the right way it should be done. The basic constrains are POLICY vs a set of rules. * Should I bump all connections with exceptions? * Should I bump non else t

Re: [squid-users] SSL Bump: I have weekly more sites to whitelist due to HTTP Error 403 on opening site content

On 28/08/20 8:12 pm, i...@schroeffu.ch wrote: > > Hi Squid Community, > > the last weeks it felt that more and more websites are going to be > "incompatible" with Squid SSL bump. "feelings" aside, that is exactly the situation. SSL-Bump is literally a security attack on clients traffic. Exactly

Re: [squid-users] ssl bump and url_rewrite_program (like squidguard)

Hi, Sorry for the noise. In fact, it works. It's just squid couldn't connect to the local cgi page (while it could for squidclamav), and then did its best that was rather strange. I confirm "url_rewrite_access deny CONNECT" works like a charm to avoid redirection during connection establishm

Re: [squid-users] ssl bump and url_rewrite_program (like squidguard)

Hi all, I know it's an old subject but I come back on it as I moved my old proxy server to Debian Buster. I now have a 4.10 version from git. Here are my last tests regarding this subject :  * Using c-icap for virus detection works well. I mean if I download a virus from an HTTPS server like

Re: [squid-users] ssl bump intermediate certificate

All of the "CA" entries in that purposes list say "No". So this is not a CA certificate, it is an origin server certificate. It can only be used to receive explicit TLS proxy or HTTPS origin server traffic. Amos Sent from my alcatel U5 ___ squid-user

Re: [squid-users] ssl bump intermediate certificate

All of the "CA" entries in that purposes list say "No". So this is not a CA certificate, it is an origin server certificate. It can only be used to receive explicit TLS proxy or HTTPS origin server traffic. Amos Sent from my alcatel U5 ___ squid-user

Re: [squid-users] ssl bump intermediate certificate

Hello, I already tried adding root ca to the pem file int the cert= option. But it had no effect. the squid -k parse seems good point. I got: Ignoring non-issuer CA from /etc/squid/bump-CA/bump-ca.crt If I add the root ca, that one is reported to be added, but still ignoring the bump ca. Why is

Re: [squid-users] ssl bump intermediate certificate

On 31/10/19 9:49 am, Marek Greško wrote: > Hello, > > Matus, I also found the document. It should be sending the chain, but > is not. When I specify cafile option it responds I shoud use > tls-cafile. But in either case it is not sending. > > Walter, if squid has such requirement, then it is unfi

Re: [squid-users] ssl bump intermediate certificate

Hello, Matus, I also found the document. It should be sending the chain, but is not. When I specify cafile option it responds I shoud use tls-cafile. But in either case it is not sending. Walter, if squid has such requirement, then it is unfinished. Every other proxy is able to run its CA as an i

Re: [squid-users] ssl bump intermediate certificate

On 30.10.2019 05:59, Marek Greško wrote: I am trying to configure ssl bumping on squid 4.8 but my browser is not able to validate the certificate due to intermediate certificate missing. How could I convince squid to send it? On 30.10.19 10:11, Walter H. wrote: the ssl-bum certificate is either

Re: [squid-users] ssl bump intermediate certificate

On 30.10.2019 05:59, Marek Greško wrote: Hello, I am trying to configure ssl bumping on squid 4.8 but my browser is not able to validate the certificate due to intermediate certificate missing. How could I convince squid to send it? Thanks Marek the ssl-bum certificate is either a root certifi

Re: [squid-users] SSL Bump with HTTP Cache Peer Parent

Alex, >The feature has already been rejected from the official v4 inclusion >because the underlying changes are too big/risky for that branch. I see. I understood that the v4 won't be able to support it. Anyway, when will you release v5 officially ? Regards, -- Mikio Kishi On Mon, Jul 15, 2019

Re: [squid-users] SSL Bump with HTTP Cache Peer Parent

On 7/14/19 10:51 AM, mikio.ki...@gmail.com wrote: >>In addition to what Amos has said, you may be interested in the v4 patch >>described at https://bugs.squid-cache.org/show_bug.cgi?id=4968#c1 > Do you have plan to support above officially ? The feature has already been rejected from the officia

Re: [squid-users] SSL Bump with HTTP Cache Peer Parent

Alex, Thank you for your reply. >In addition to what Amos has said, you may be interested in the v4 patch >described at https://bugs.squid-cache.org/show_bug.cgi?id=4968#c1 Do you have plan to support above officially ? Regards, -- Mikio Kishi On Sun, Jul 14, 2019 at 9:58 PM Alex Rousskov < ro

Re: [squid-users] SSL Bump with HTTP Cache Peer Parent

On 7/14/19 3:35 AM, Amos Jeffries wrote: > On 14/07/19 5:33 pm, mikio.kishi wrote: >> Hi all, >> >>  https://www.spinics.net/lists/squid/msg90523.html >> >> As mentioned in the above URL, I would like to use "SSL Bump with HTTP >> Cache Peer Parent" as well. >> However, still seems not be supported

Re: [squid-users] SSL Bump with HTTP Cache Peer Parent

On 14/07/19 5:33 pm, mikio.kishi wrote: > Hi all, > >  https://www.spinics.net/lists/squid/msg90523.html > > As mentioned in the above URL, I would like to use "SSL Bump with HTTP > Cache Peer Parent" as well. > However, still seems not be supported like the following. > ... > > Do you have any

Re: [squid-users] ssl bump

On 28/02/19 2:31 am, leomessi983 wrote: > Hi all > Can i use this conf only for blocking purpose?! You could. I suggest you keep the default security Safe_ports and SSL_ports ACL and http_access rules though. They exist to protect your proxy against malicious attacks and Dos situations. Your cus

Re: [squid-users] ssl-bump does not redirect to block page

On 2/12/19 11:22 PM, leomessi...@yahoo.com wrote: > Actually i don't understand if it could be done or not!! And I do not know what you mean by "it" here. * Can Squid send a blocking error page to an HTTPS client? Yes. * Will the browser show that error page to the user without any additional w

Re: [squid-users] ssl-bump does not redirect to block page

On 14/02/19 1:10 am, leomessi983 wrote: > I use this configuration to solve my problem. > Whit this configuration at first step I use bump action for sites that i > want to block and show ACCESS_DENIED page then splice all other requests!! > My problem in this config is when my clients want to see

Re: [squid-users] ssl-bump does not redirect to block page

... URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190212/8311d242/attachment-0001.html> -- Message: 2 Date: Tue, 12 Feb 2019 08:04:08 -0700 From: Alex Rousskov To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] ssl-bump does

Re: [squid-users] ssl-bump does not redirect to block page

>> aka the 'bump' action. > This part is misleading: Modern Squids _automatically_ bump connections > to report [access denied] errors -- no explicit bump action is required > (or even desirable). I do not know whether> * that bumping does not happen > for leo (e.g., due to Squid bugs), or > * i

Re: [squid-users] ssl-bump does not redirect to block page

On 2/12/19 7:21 AM, leomessi...@yahoo.com wrote: > Do i have to use CA and Certificate configuration if i want to block > only HTTPS requests with splice action?! IIRC, you currently need a CA certificate if you want to use SslBump, regardless of the SslBump actions in use. In some ways, this is

Re: [squid-users] ssl-bump does not redirect to block page

On 2/6/19 12:57 PM, Amos Jeffries wrote: > On 7/02/19 3:52 am, leo messi wrote: >> My squid config is something like this: >> acl blk ssl::server_name .google.com >> http_access deny blk >> http_access allow all >> ssl_bump peek step1 >> ssl_bump splice all >> My problem is when i block some page

Re: [squid-users] ssl-bump does not redirect to block page

On 7/02/19 3:52 am, leo messi wrote: > Hi > My squid config is something like this: > acl blk ssl::server_name .google.com > http_access deny blk > http_access allow all > ... > > acl step1 at_step SslBump1 > ssl_bump peek step1 > ssl_bump splice all > > > My problem is when i block some pages

Re: [squid-users] ssl bump, CA certificate renewal, how to?

-users On Behalf Of Bruno de Paula Larini Sent: Tuesday, January 15, 2019 19:33 To: squid-us...@squid-cache.org Subject: Re: [squid-users] ssl bump, CA certificate renewal, how to? Em 15/01/2019 15:01, Dmitry Melekhov escreveu: > > 5 years, really, not very long period of time, if I'll

Re: [squid-users] ssl bump, CA certificate renewal, how to?

15.01.2019 21:33, Bruno de Paula Larini пишет: Em 15/01/2019 15:01, Dmitry Melekhov escreveu: 5 years, really, not very long period of time, if I'll be sure to not work here in 5 years then I'll use this ;-) , unfortunately I'm not :-( I don't need to replace certificate every year or so, bu

Re: [squid-users] ssl bump, CA certificate renewal, how to?

Em 15/01/2019 15:01, Dmitry Melekhov escreveu: 5 years, really, not very long period of time, if I'll be sure to not work here in 5 years then I'll use this ;-) , unfortunately I'm not :-( I don't need to replace certificate every year or so, but I need to have minimal service interruption f

Re: [squid-users] ssl bump, CA certificate renewal, how to?

Sorry wrong topic Le 15/01/2019 à 18:08, FredB a écrit : Now squid can get directly the intermediate CA as a browser does, it's a very interesting feature to me Maybe I'm missing something, but I can see the request from squid now (with squid 4) it's a good point, my sslbump config is very ba

Re: [squid-users] ssl bump, CA certificate renewal, how to?

Now squid can get directly the intermediate CA as a browser does, it's a very interesting feature to me Maybe I'm missing something, but I can see the request from squid now (with squid 4) it's a good point, my sslbump config is very basic, perhaps to basic cl step at_step SslBump1 ssl_bump

Re: [squid-users] ssl bump, CA certificate renewal, how to?

15.01.2019 20:52, elie...@ngtech.co.il пишет: With squid 4.x or even 3.5 you can use an intermediate CA. So you will have the root key and certificate somewhere safe and renew the intermediate root CA every year or two. The main root CA should be created at-least for a period of 5 years to

Re: [squid-users] ssl bump, CA certificate renewal, how to?

With squid 4.x or even 3.5 you can use an intermediate CA. So you will have the root key and certificate somewhere safe and renew the intermediate root CA every year or two. The main root CA should be created at-least for a period of 5 years to allow this dynamicity you probably need. Eliezer

Re: [squid-users] SSL Bump with HTTP Cache Peer Parent

On 13/12/18 2:12 pm, Amos Jeffries wrote: [ please keep the traffic on-list. If you want private assistance I do consult for a small fee. ] On 13/12/18 2:51 pm, Sam Handley wrote: On 13/12/18 12:00 pm, Amos Jeffries wrote: Thank you for your reply, it seems adding in an extra step could solv

Re: [squid-users] SSL Bump with HTTP Cache Peer Parent

[ please keep the traffic on-list. If you want private assistance I do consult for a small fee. ] On 13/12/18 2:51 pm, Sam Handley wrote: > On 13/12/18 12:00 pm, Amos Jeffries wrote: > > Thank you for your reply, it seems adding in an extra step could solve it, > even if not ideal. > Just a few

Re: [squid-users] SSL Bump with HTTP Cache Peer Parent

On 13/12/18 12:15 pm, sam.handley wrote: > I am not 100% confident what I am asking is possible but I'd love it to be > confirmed. > > Here is what our setup would look like, I’ve explained a bit below: > > DEVICE ---> PRX3 (HTTPS CACHE) ---> PRX2 ---> PRX1 ---> INTERNET > > Our current environm

Re: [squid-users] SSL Bump for regex URL comparison

On 16.11.17 08:21, Joe Foster wrote: The problem is the connections are not getting through. It just acts like there is no WiFi connection. what exactly is the error? Does squid receive those connections? does squid reject them? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantoma

Re: [squid-users] SSL Bump for regex URL comparison

Hello Amos, The problem is the connections are not getting through. It just acts like there is no WiFi connection. Adding the cert db every start up isn’t an issue. I was thinking of having a small cert cache locally instead thinking about it since. The connections just aren’t being made. No ss

Re: [squid-users] SSL Bump for regex URL comparison

On 16/11/17 02:32, Joe Foster wrote: Good afternoon, I have a small router onto which I have installed Squid. I am trying to filter HTTPS urls for bad words on a blocked list. It will require the client on the safe side of the router to install the certificate, this isn't an issue as it's an o

Re: [squid-users] SSL Bump Failures with Google and Wikipedia

On 06/10/17 18:24, Rafael Akchurin wrote: Hello Eliezer, From desktop ff/chrome goto youtube. It will be br encoded. Best regards, Rafael Akchurin Also, from the discussions in the IETF I get the impression that; * the Firefox support is still only in their experimental version(s) maybe

Re: [squid-users] SSL Bump Failures with Google and Wikipedia

ech.co.il > > > -Original Message- > From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On > Behalf Of Yuri > Sent: Sunday, October 1, 2017 04:08 > To: squid-users@lists.squid-cache.org > Subject: Re: [squid-users] SSL Bump Failures with Google

Re: [squid-users] SSL Bump Failures with Google and Wikipedia

: +972-5-28704261 Email: elie...@ngtech.co.il -Original Message- From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Yuri Sent: Sunday, October 1, 2017 04:08 To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] SSL Bump Failures with Google and

Re: [squid-users] SSL Bump Failures with Google and Wikipedia [SOLVED]

On 10/4/17, Alex Rousskov wrote: > On 09/30/2017 11:14 PM, Jeffrey Merkey wrote: >>> After reviewing this problem and all of the great technical >>> information folks provided, I have it working and I figured out the >>> best way to deal with this transparently allowing squid to remotely >>> spoof

Re: [squid-users] SSL Bump Failures with Google and Wikipedia [SOLVED]

On 09/30/2017 11:14 PM, Jeffrey Merkey wrote: >> After reviewing this problem and all of the great technical >> information folks provided, I have it working and I figured out the >> best way to deal with this transparently allowing squid to remotely >> spoof the server side with modified request h

Re: [squid-users] SSL Bump Failures with Google and Wikipedia [SOLVED]

Opera, AFAIK, now abandoned and can contain obsolete CA bundle (not sure it uses system CA storage). So, it seems this is quite different issue. 02.10.2017 5:46, L A Walsh пишет: > Jeffrey Merkey wrote: >> >> One caveat about this I discovered that there are quite a few websites >> which complet

Re: [squid-users] SSL Bump Failures with Google and Wikipedia [SOLVED]

Jeffrey Merkey wrote: One caveat about this I discovered that there are quite a few websites which completely ignore the Accept-Encoding request header and just go ahead and send gzip html data even when you tell it not to. Oh well, back to the drawing board. --- But didn't your bump pro

Re: [squid-users] SSL Bump Failures with Google and Wikipedia [SOLVED]

On 9/30/17, Jeffrey Merkey wrote: > On 9/30/17, Rafael Akchurin wrote: >> Hello Jeff, >> >> Do not forget Google and YouTube are now using brotli encoding >> extensively, >> not only gzip. >> >> Best regards, >> Rafael Akchurin >> >>> Op 30 sep. 2017 om 23:49 heeft Jeffrey Merkey het >>> volgend

Re: [squid-users] SSL Bump Failures with Google and Wikipedia [SOLVED]

On 9/30/17, Rafael Akchurin wrote: > Hello Jeff, > > Do not forget Google and YouTube are now using brotli encoding extensively, > not only gzip. > > Best regards, > Rafael Akchurin > >> Op 30 sep. 2017 om 23:49 heeft Jeffrey Merkey het >> volgende geschreven: >> >>> On 9/30/17, Eliezer Croitoru

Re: [squid-users] SSL Bump Failures with Google and Wikipedia

261 > Email: elie...@ngtech.co.il > > > > -Original Message- > From: Rafael Akchurin [mailto:rafael.akchu...@diladele.com] > Sent: Sunday, October 1, 2017 01:16 > To: Jeffrey Merkey > Cc: Eliezer Croitoru ; squid-users > > Subject: Re: [squid-users] SSL Bump Failures

Re: [squid-users] SSL Bump Failures with Google and Wikipedia

, October 1, 2017 01:16 To: Jeffrey Merkey Cc: Eliezer Croitoru ; squid-users Subject: Re: [squid-users] SSL Bump Failures with Google and Wikipedia Hello Jeff, Do not forget Google and YouTube are now using brotli encoding extensively, not only gzip. Best regards, Rafael Akchurin > Op 30 sep. 2

Re: [squid-users] SSL Bump Failures with Google and Wikipedia

On 9/30/17, Rafael Akchurin wrote: > Hello Jeff, > > Do not forget Google and YouTube are now using brotli encoding extensively, > not only gzip. > > Best regards, > Rafael Akchurin > >> Op 30 sep. 2017 om 23:49 heeft Jeffrey Merkey het >> volgende geschreven: >> >>> On 9/30/17, Eliezer Croitoru

Re: [squid-users] SSL Bump Failures with Google and Wikipedia

Hello Jeff, Do not forget Google and YouTube are now using brotli encoding extensively, not only gzip. Best regards, Rafael Akchurin > Op 30 sep. 2017 om 23:49 heeft Jeffrey Merkey het > volgende geschreven: > >> On 9/30/17, Eliezer Croitoru wrote: >> Hey Jeffrey, >> >> What happens when y

Re: [squid-users] SSL Bump Failures with Google and Wikipedia

On 9/30/17, Jeffrey Merkey wrote: > On 9/30/17, Eliezer Croitoru wrote: >> Hey Jeffrey, >> >> What happens when you disable the next icap service this way: >> icap_service service_avi_resp respmod_precache >> icap://127.0.0.1:1344/cherokee bypass=0 >> adaptation_access service_avi_resp deny all >

Re: [squid-users] SSL Bump Failures with Google and Wikipedia

On 9/30/17, Eliezer Croitoru wrote: > Hey Jeffrey, > > What happens when you disable the next icap service this way: > icap_service service_avi_resp respmod_precache > icap://127.0.0.1:1344/cherokee bypass=0 > adaptation_access service_avi_resp deny all > > Is it still the same? > What I suspect i

Re: [squid-users] SSL Bump Failures with Google and Wikipedia

Hey Jeffrey, What happens when you disable the next icap service this way: icap_service service_avi_resp respmod_precache icap://127.0.0.1:1344/cherokee bypass=0 adaptation_access service_avi_resp deny all Is it still the same? What I suspect is that the requests are defined to accept gzip compr

Re: [squid-users] SSL bump, SSL intercept, explicit, secure proxy, what is it called?

This doesn't seem to have the SSL option like Foxyproxy does.  From: Marcus Kool To: squid-users@lists.squid-cache.org Sent: Thursday, May 25, 2017 8:18 AM Subject: Re: [squid-users] SSL bump, SSL intercept, explicit, secure proxy, what is it called? If you use foxyprox

Re: [squid-users] SSL bump, SSL intercept, explicit, secure proxy, what is it called?

If you use foxyproxy for firefox, you can use switchysharp for Chrome. Marcus On 25/05/17 09:00, j m wrote: Thought I'd try getting this to work in Chrome too. NOTHING I try makes it work in Chrome. Isn't running this from the Windows command line supposed to work? chrome --proxy-server=h

Re: [squid-users] SSL bump, SSL intercept, explicit, secure proxy, what is it called?

proxy despite Firefox on the same computer working just fine! From: Amos Jeffries To: j m ; "squid-users@lists.squid-cache.org" Sent: Wednesday, May 24, 2017 5:15 PM Subject: Re: [squid-users] SSL bump, SSL intercept, explicit, secure proxy, what is it called? On 25/05/17

Re: [squid-users] SSL bump, SSL intercept, explicit, secure proxy, what is it called?

with? From: Amos Jeffries To: j m ; "squid-users@lists.squid-cache.org" Sent: Wednesday, May 24, 2017 5:15 PM Subject: Re: [squid-users] SSL bump, SSL intercept, explicit, secure proxy, what is it called? On 25/05/17 09:01, j m wrote: > Some more info:  I tried this on Firef

Re: [squid-users] SSL bump, SSL intercept, explicit, secure proxy, what is it called?

On 25/05/17 09:01, j m wrote: Some more info: I tried this on Firefox 53 and got more feedback, but still doesn't work. Per the recommendation on bugzilla (bug 378637), I put https://myaddress:myport into firefox and it gives me a "Your connection is not secure".

Re: [squid-users] SSL bump, SSL intercept, explicit, secure proxy, what is it called?

On 05/24/2017 01:45 PM, Amos Jeffries wrote: > On 25/05/17 02:17, Alex Rousskov wrote: >> On 05/24/2017 06:56 AM, Amos Jeffries wrote: >>> On 24/05/17 13:44, j m wrote: So firstly, what is the actual name for what I want (encrypting proxy to browser)? >>> Some people seem to be calling i

Re: [squid-users] SSL bump, SSL intercept, explicit, secure proxy, what is it called?

s deny !Safe_portshttp_access deny CONNECT !SSL_portshttp_access allow auth_usershttp_access allow all#http_port 8092https_port 8092 cert=/etc/squid/squid.pemcache deny allaccess_log nonenetdb_filename none From: Amos Jeffries To: squid-users@lists.squid-cache.org Sent: Wednesda

Re: [squid-users] SSL bump, SSL intercept, explicit, secure proxy, what is it called?

On 25/05/17 02:17, Alex Rousskov wrote: On 05/24/2017 06:56 AM, Amos Jeffries wrote: On 24/05/17 13:44, j m wrote: So firstly, what is the actual name for what I want (encrypting proxy to browser)? Some people seem to be calling it "HTTPS", but that is not correct and thankfully makes it diffi

Re: [squid-users] SSL bump, SSL intercept, explicit, secure proxy, what is it called?

On 05/24/2017 06:56 AM, Amos Jeffries wrote: > On 24/05/17 13:44, j m wrote: >> So firstly, what is the actual name for what I want (encrypting proxy >> to browser)? > Some people seem to be calling it "HTTPS", but that is not correct and > thankfully makes it difficult to find the bad info. What

Re: [squid-users] SSL bump, SSL intercept, explicit, secure proxy, what is it called?

effries To: squid-users@lists.squid-cache.org Sent: Wednesday, May 24, 2017 7:57 AM Subject: Re: [squid-users] SSL bump, SSL intercept, explicit, secure proxy, what is it called? On 24/05/17 13:44, j m wrote: > I'd like to set up a proxy on a home server so I can use it remotely

Re: [squid-users] SSL bump, SSL intercept, explicit, secure proxy, what is it called?

On 24/05/17 13:44, j m wrote: I'd like to set up a proxy on a home server so I can use it remotely for web browsing; no filtering, nothing fancy, just a pass-through of sorts to get around web filters. That part I've got working. The part I haven't had luck with is encrypting the browser-to-p

Re: [squid-users] ssl bump and url_rewrite_program (like squidguard)

Hi Edouard, To block GET https://www.example.com/foo.html and to pass CONNECT www,example.com you need a) squid with ssl-bump in peek+bump mode b) ufdbGuard ufdbGuard can skip the CONNECT and waits for the GET request which can be blocked without browser errors. Since ssl-bump is not easy it i

Re: [squid-users] ssl bump and url_rewrite_program (like squidguard)

Hi community, Any news about this? I've tried 3.5.25 but still observe this behaviour. I understand it well since I read: https://serverfault.com/questions/727262/how-to-redirect-https-connect-request-with-squid-explicit-proxy But how to let the CONNECT request succeed and later block/redire

Re: [squid-users] ssl bump and chrome 58

Exactly. 03.05.2017 16:32, Rafael Akchurin пишет: And on 3.5 too? -Original Message- From: Yuri [mailto:yvoi...@gmail.com] Sent: Wednesday, May 3, 2017 12:30 PM To: Rafael Akchurin ; Flashdown Cc: squid-users@lists.squid-cache.org Subject: Re: [squid-users] ssl bump and chrome 58

Re: [squid-users] ssl bump and chrome 58

And on 3.5 too? -Original Message- From: Yuri [mailto:yvoi...@gmail.com] Sent: Wednesday, May 3, 2017 12:30 PM To: Rafael Akchurin ; Flashdown Cc: squid-users@lists.squid-cache.org Subject: Re: [squid-users] ssl bump and chrome 58 Mountain brake, Raf :-) Fixed yesterday, already

Re: [squid-users] ssl bump and chrome 58

[mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Rafael Akchurin Sent: Wednesday, May 3, 2017 10:48 AM To: Flashdown ; Yuri Voinov Cc: squid-users@lists.squid-cache.org Subject: Re: [squid-users] ssl bump and chrome 58 [This sender failed our fraud detection checks and may not be who

Re: [squid-users] ssl bump and chrome 58

Voinov Cc: squid-users@lists.squid-cache.org Subject: Re: [squid-users] ssl bump and chrome 58 [This sender failed our fraud detection checks and may not be who they appear to be. Learn about spoofing at http://aka.ms/LearnAboutSpoofing] Hello all, The following steps give in Chrome 58 the "

Re: [squid-users] ssl bump and chrome 58

-cache.org] On Behalf Of Flashdown Sent: Thursday, April 27, 2017 6:42 PM To: Yuri Voinov Cc: squid-users@lists.squid-cache.org Subject: Re: [squid-users] ssl bump and chrome 58 I've tested the registry setting and it worked out. You can copy the below lines in a .reg file and execute it. W

Re: [squid-users] ssl bump and chrome 58

r-first > all" should work. > > William Lima > > - Original Message - > From: "Flashdown" > To: "Yuri Voinov" > Cc: squid-users@lists.squid-cache.org > Sent: Thursday, April 27, 2017 1:41:48 PM > Subject: Re: [squid-users] ssl bump and

Re: [squid-users] ssl bump and chrome 58

id-users@lists.squid-cache.org Sent: Thursday, April 27, 2017 1:41:48 PM Subject: Re: [squid-users] ssl bump and chrome 58 I've tested the registry setting and it worked out. You can copy the below lines in a .reg file and execute it. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACH

Re: [squid-users] ssl bump and chrome 58

I've tested the registry setting and it worked out. You can copy the below lines in a .reg file and execute it. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome] "EnableCommonNameFallbackForLocalAnchors"=dword:0001 Best regards, Flashdown Am 2017-0

Re: [squid-users] ssl bump and chrome 58

Hello together, here is a workaround that you could use in the meanwhile. https://www.chromium.org/administrators/policy-list-3#EnableCommonNameFallbackForLocalAnchors Source: https://www.chromium.org/administrators/policy-list-3#EnableCommonNameFallbackForLocalAnchors BEGIN EnableCommonName

Re: [squid-users] ssl bump and chrome 58

Hello together, Suddenly I am facing the same issue when users Chrome has been updated to V58. I am running Squid 3.5.23. This is the reason: https://www.thesslstore.com/blog/security-changes-in-chrome-58/ Short: Common Name Support Removed in Chrome 58 and Squid does not create certs with D

Re: [squid-users] ssl bump and chrome 58

I see no problem with it on all five SSL Bump-aware servers with new Chrome. So fare so good. 21.04.2017 18:29, Marko Cupać пишет: > Hi, > > I have squid setup with ssl bump which worked fine, but since I updated > chrome to 58 it won't display any https sites, throwing > NTT:ERR_CERT_COMMON_NAME

Re: [squid-users] SSL Bump issues

On 03/19/2017 07:58 PM, mr_jrt wrote: > ...but the only way I've got any successful SSL proxying is with: > > > ...but as expected, that's clearly not doing any bumping from the logs: > > > > When I put anything more in, i.e. > > > Then it turns on the mode: > > > ...but then I just get e

Re: [squid-users] SSL Bump issues

Ignoring the Squid part, is it TLS 1.2 that's the root problem, or the ciphers? Are you aware XP schannel.dll has some ciphers and protocols disabled by default, even though they're supported? See here: https://support.microsoft.com/en-au/help/245030/how-to-restrict-the-use-of-certain-cryptogr

Re: [squid-users] Ssl bump tunneling connection by using Common Name

On 7/03/2017 5:41 a.m., Eliezer Croitoru wrote: > Hey, > > There was something about it but I believe it's only on squid version 4.0.X. FTR; Squid-4 brings the ability to tunnel Skype clients that were using something that looked a bit like TLS but wasn't (along with the many port 443 non-TLS us

Re: [squid-users] Ssl bump tunneling connection by using Common Name

Hey, There was something about it but I believe it's only on squid version 4.0.X. The other options for such a thing is to use an external_acl helper that will try to initiate a connection to the destination host (like what is done in the happy eyeballs) to and to inspect the certificate to matc

Re: [squid-users] Ssl bump tunneling connection by using Common Name

On 03/06/2017 06:46 AM, Hanoch Hanoch K wrote: > However skype's client app uses client certificates that don't have SNI. SNI is not a property of a client certificate. It is a property of a client Hello message. I do not know whether some Skype clients do not send SNI with their Hellos, but I wa

Re: [squid-users] SSL Bump and Certificate issue - RapidSSL Intermediate Cert

Decided to fiddle with it one last time If i change my cipher entries from EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS to ECDHE

Re: [squid-users] SSL Bump and Certificate issue - RapidSSL Intermediate Cert

>That command you used does not send data through the proxy. So that >confirms that the servers TLS is broken in a way unrelated to Squid. As that may be, when i go direct (sans proxy) i get thumbnails...no issues Toggle the proxy back on and no thumbnails, and opening an image link gives the erro

Re: [squid-users] SSL Bump and Certificate issue - RapidSSL Intermediate Cert

Thanks Amos for the info, appreciate your tireless assistance for us numpties :) On 2 Mar. 2017 4:06 am, "Amos Jeffries [via Squid Web Proxy Cache]" < ml-node+s1019090n4681642...@n4.nabble.com> wrote: > On 1/03/2017 4:58 a.m., stylemessiah wrote: > > > This is driving me nuts, its the only issue

Re: [squid-users] SSL Bump and Certificate issue - RapidSSL Intermediate Cert

On 1/03/2017 4:58 a.m., stylemessiah wrote: > This is driving me nuts, its the only issue ive found running ssl bump on my > home network for eons > > I cant see image thumbnails on xda-developers... > > When i access a thread with them, i get text links, not thumbnails, and if i > click on the l

Re: [squid-users] SSL-Bump: NAT/TPROXY lookup failed to locate original IPs

ers-boun...@lists.squid-cache.org] On >> > Behalf Of Eliezer Croitoru >> > Sent: Sunday, February 26, 2017 8:51 PM >> > To: 'Test User' >> > Cc: squid-users@lists.squid-cache.org >> > Subject: Re: [squid-users] SSL-Bump: NAT/TPROXY lookup fail

Re: [squid-users] SSL-Bump: NAT/TPROXY lookup failed to locate original IPs

obile: +972-5-28704261 > > Email: elie...@ngtech.co.il > > > > > > -Original Message- > > From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On > Behalf Of Eliezer Croitoru > > Sent: Sunday, February 26, 2017 8:51 PM > > To: 'T

Re: [squid-users] SSL-Bump: NAT/TPROXY lookup failed to locate original IPs

m: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On > Behalf Of Eliezer Croitoru > Sent: Sunday, February 26, 2017 8:51 PM > To: 'Test User' > Cc: squid-users@lists.squid-cache.org > Subject: Re: [squid-users] SSL-Bump: NAT/TPROXY lookup failed to loca

  1   2   3   >