I confirm - I've seen this issue in cache.log too.
16.02.16 11:25, Amos Jeffries пишет:
On 16/02/2016 3:12 p.m., Jason Haar wrote:
On Tue, Feb 16, 2016 at 2:48 AM, Amos Jeffries wrote:
Thanks for the reminder. I dont recall seeing a bug report being made.
Though Jason has sent me a more detai
okay now i have this
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice all
but all https connections is TCP_TUNNEL/200
i need only sni requests that cant be bumped to be TCP_TUNNEL/200 !!!
and the other request must bumped and decrypt !!
--
View this message in context:
htt
I had to try overwriting the directives in the squid.conf since it was
the quickest and most obvious solution to me.
I can assure you, it works.
On 15.02.2016 10:59, Amos Jeffries wrote:
> On 15/02/2016 10:51 p.m., Stefan Hölzle wrote:
>> For a quick fix, I defined the two directives in my squid.c
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.14 release!
This release is a security release resolving one major vulnerability and
several other bugs found in the prior Squid releases.
The major changes to be aware of:
* SQUID-2016:1 - Remote Denial o
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.6 release!
This release is a security release resolving one major vulnerability and
several other bugs found in the prior Squid releases.
NP: this release announcement also covers 4.0.5 change details.
Th
__
Squid Proxy Cache Security Update Advisory SQUID-2016:1
__
Advisory ID:SQUID-2016:1
Date: February 16, 2016
Summary:Remote Denial of
Hi List,
I am using Squid 3.1.23 as a reverse proxy. Client authentication to
backend servers is mandatory. All backend servers use client certificate
based authentication which I configure as follows:
cache_peer (...) ssl sslcert=/etc/squid/client-certs/client-cert.pem
(...)
The .pem file is
Greetings Squid users,
With 3.5.14 out and activating CFLAGS, I am getting into trouble. Funny
too, I spent a lot of time wondering why it wasn't adding CFLAGS in earlier
builds. In any event, I have a 3.5.13 instance configured as follows:
./configure --prefix=/usr --localstatedir=/var
On 17/02/2016 3:11 a.m., luc...@dds.nl wrote:
> Hi List,
>
> I am using Squid 3.1.23 as a reverse proxy. Client authentication to
> backend servers is mandatory. All backend servers use client certificate
> based authentication which I configure as follows:
> cache_peer (...) ssl sslcert=/etc/squi
Before digging into the details of the issue, can you supply the OS details?
What OS are you using? What distribution?
32 or 64 bit?
can you also add the output of "squid -v" for both 3.5.14 and 3.5.13 ?
Thanks,
Eliezer
On 16/02/2016 16:32, Jester Purtteman wrote:
Greetings Squid users,
With 3
On 17/02/2016 3:32 a.m., Jester Purtteman wrote:
> Greetings Squid users,
>
>
>
> With 3.5.14 out and activating CFLAGS, I am getting into trouble. Funny
> too, I spent a lot of time wondering why it wasn't adding CFLAGS in earlier
> builds. In any event, I have a 3.5.13 instance configured a
On 02/16/2016 12:32 PM, Jester Purtteman wrote:
./configure CFLAGS="-march=core2 -mcx16 -msahf -mno-movbe -mno-aes -mno-pclmul -mno-popcnt
-mno-sse4 -msse4.1" CXXFLAGS="${CFLAGS}" --with-pthreads --prefix=/usr
--localstatedir=/var
--libexecdir=/usr/lib/squid--srcdir=. --datadir=/usr/s
Hi all,
http://imgur.com/PI1PRlB
Can it be fixed with Squid ? If yes, how ?
Thanks you very much for your answer.
Sébastien Boulianne
Administrateur réseau & système / Network & System Administrator (Windows &
Linux).
Gestion des infrastructures / Infrastructure Management.
CCNA / CompTIA Serv
why SNI connection not work ?
any applications on mobile android or apple is not working when doing
ssl_bump !!
maybe i miss some thing ? otherwise bumping https is unusefull !!
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/about-sni-tp4676005p4676031.html
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Aha,
here is it:
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit#Hardening
17.02.16 1:32, sebastien.boulia...@cpu.ca пишет:
>
> Hi all,
>
>
>
> http://imgur.com/PI1PRlB
>
>
>
> Can it be fixed with Squid ? If yes, how ?
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
I suggest, more correctly term is:
"Not ALL applications on apple or android works".
Yes?
Also I suggest you meet with pinned connections. ;) They can't be
bumped. For now ;)
17.02.16 1:14, HackXBack пишет:
> why SNI connection not work ?
> an
its okay i dont want to bump them !! but at least make them work !!
most applications used pinned connections !!
most of them is not working at all !!
connection cant established at all !!
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/about-sni-tp4676005p46
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Wow,wow, not most and any ;)
Use splice, Luke :) This thing for it. :)
17.02.16 1:20, HackXBack пишет:
> its okay i dont want to bump them !! but at least make them work !!
> most applications used pinned connections !!
> most of them is not
On 02/15/2016 06:13 PM, Amos Jeffries wrote:
> Also, terminate seems to require
> similar operations to bump, so after the step 2 peek it may not work
> reliably.
The terminate action (i.e., TCP connection(s) closure) should not
require anything and should be usable at all steps, regardless of the
I've found that relates to httpd and not the proxy itself. This is an
easy fix though.
Modify /etc/httpd/conf.d/ssl.conf
*
SSLProtocol all -SSLv2 (most modern linux OS already has this by
default but add it if it is not found)
*
SSLCipherSuite
ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
That's it, yes, for Apache.
17.02.16 1:50, Mike пишет:
> I've found that relates to httpd and not the proxy itself. This is an easy
> fix though.
> Modify /etc/httpd/conf.d/ssl.conf
>
> *
>
> SSLProtocol all -SSLv2 (most modern linux OS alre
Bump... No comments ?
On 10 February 2016 at 09:55, Alex Samad wrote:
> auth_param negotiate program /usr/bin/ntlm_auth
> --helper-protocol=gss-spnego --configfile /etc/samba/smb.conf-squid
> auth_param negotiate children 20 startup=0 idle=3
> auth_param negotiate keep_alive on
> auth_param ntlm
Hi all,
I just did a SSL Analyzer with comodo.
Their site told me that I support « Secure Renegotiation IS supported,
Vulnerable DoS »
Is it a way to block that with Squid ?
Thanks you very much in advance.
Sébastien
___
squid-users mailing list
sq
Hi All,
Currently i have Squid 3.5.12 setup with LDAP Authentication and with
groups. If a certain user is apart of a certain group they can access sites
that are listed in the allowed list, otherwise access is denied for all
other sites.
I have a new requirement to allow all LDAP authenticated u
On 17/02/2016 12:33 p.m., nando mendonca wrote:
> Hi All,
>
> Currently i have Squid 3.5.12 setup with LDAP Authentication and with
> groups. If a certain user is apart of a certain group they can access sites
> that are listed in the allowed list, otherwise access is denied for all
> other sites.
Hello everybody:
Since a few months ago I'm using squid to provide a solution as small
business proxy in the network of my work place.
I'm from Cuba, in our country the Internet is a very limited resource. I
have only one link of 2Mbps to share with 20 ~ 25 users (even with my
network have more t
It's been a while since I've looked at this—because the software we use to
generate our squid.conf just works around now—but we found that Squid 3
would only enforce exactly half the configured rate on HTTP requests but
enforce the full rate on HTTPS requests.
So we now make two delay pools for ev
Hey djch Thanks for your quick reply...
Anyway, I know that delay pools are implemented at software layer, but
maybe the error was just a simple mistake porting the old squid 2 project.
Even when these days we have tools to do this more efficiently like TC-CBQ,
in environments where squid works as
Hey Martin,
I was wondering if you had the chance of trying to enforce some QOS
policy on the OS level?
Also what OS and distribution are you using?
Eliezer
On 17/02/2016 03:37, Hery Martin wrote:
Hello everybody:
Since a few months ago I'm using squid to provide a solution as small
busines
Due to the Security Update Advisory I am releasing RPMs for:
- SLES 12 SP1
- OpenSUSE Leap 42.1
- CentOS 6 + 7
- Oracle Linux 6 + 7
CentOS and Oracle Linux EL6 version includes RPMs only for the 3.5 tree
and for both 64 and 32 bit.
All others was built only for 64 bit and also includes 4.0.6 RP
30 matches
Mail list logo
