[squid-users] squid-5.4 blocking on ipv6 outage

7;s opinion that it's not working. Any ideas what's going on there? thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: [squid-users] squid-5.4 blocking on ipv6 outage

debugging won't catch it. If it happens again (I have never seen this before) I'll be sure to do the debugging thang. On Tue, Feb 22, 2022 at 3:16 AM Alex Rousskov < rouss...@measurement-factory.com> wrote: > On 2/20/22 20:43, Jason Haar wrote: > > > I've noticed

[squid-users] XSS issue only affects bump doesn't it?

by this vulnerability? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users mailing list squid-users@lists.squid-cache.org ht

Re: [squid-users] Transparent Proxy in AWS

ht Thing :-) Then there'd be no need for iptable tricks on the clients. Also means you could apply this to Windows EC2 systems too I'm not an AWS guru so I have no idea if that works. I'm assuming a VPC is like a VLAN -- Cheers Jason Haar Information Security Manager, Trimble N

[squid-users] dumb question: how to get http server IP into logs?

d used to do that by default? (DIRECT/1.2.3.4?). All our logs are now "HIER_DIRECT" Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 _

Re: [squid-users] dumb question: how to get http server IP into logs?

Of Amos Jeffries > Sent: Monday, July 31, 2017 13:22 > To: squid-users@lists.squid-cache.org > Subject: Re: [squid-users] dumb question: how to get http server IP into > logs? > > On 30/07/17 22:02, Jason Haar wrote: > > Hi there > > > > We're running squid-

Re: [squid-users] Secure basic authentication on Squid

please *don't* > CC me. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > > ___ > squid-users m

Re: [squid-users] SSL Peek and Splice with SIP over TCP

> > You need to go looking for a SOCKS proxy. > > Amos > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone

[squid-users] intercepting tcp/443 purely for logging purposes

dress, I can: CONNECT causes a 403 HTTP error page and intercept basically ditches the tcp/443 connection - which is as good as it gets without getting into the wonderful world of real "bump" -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171

Re: [squid-users] intercepting tcp/443 purely for logging purposes

ng to this simplest case for the moment and avoid the "peek" call Thanks! Jason On Mon, Mar 21, 2016 at 8:53 PM, Amos Jeffries wrote: > On 21/03/2016 10:29 a.m., Jason Haar wrote: > > Hi there > > > > I'm wanting to use tls intercept to just log (well OK, a

Re: [squid-users] intercepting tcp/443 purely for logging purposes

32 startup=15 idle=5 acl SSL_https port 443 ssl_bump splice SSL_https On Tue, Mar 22, 2016 at 12:05 AM, Vito A. Smaldino < vitoantonio.smald...@istruzione.it> wrote: > Hi all, > great, i'm just searching for this. Jason can you kindly post the whole > squid.conf? > Thank

Re: [squid-users] grove.microsoft.com

released in response to a public > records request, do not send electronic mail to this entity. Instead, > contact this office by phone or in writing. > > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > htt

Re: [squid-users] Browser circunvents acl's blocking https (intercept mode)

tcp/443 - but you're implying there are yet more alternatives? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users

Re: [squid-users] SSO and Squid, SAML 2.0 ?

e Digest is more secure over cleartext - but it's also noticeably slower than Basic over latency links, so you can choose your poison there If you're really keen, you can actually do proxy-over-TLS via WPAD with Firefox/Chrome - at which point I'd definitely recommend Basic for the perfor

Re: [squid-users] Peeking on TLS traffic: unknown cipher returned

equires* full MiTM which I want to avoid as I believe it has no future due to pinning. Off to upgrade to 3.5.22 :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___

Re: [squid-users] 3.5.4 Can't access Google or Yahoo SSL pages

orks just fine without "dns_v4_first" - which implies my statements above are correct ie this smells like you actually do have ipv6 enabled, but it's broken in some subtle way (like the pmtu issue Amos mentioned) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navi

Re: [squid-users] 3.5.4 need more help with peek and splice and external helper

with the smoke-n-mirrors that is SSL intercept :-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users mailing l

Re: [squid-users] Ssl-bump deep dive (properly creating certs)

all is said and done, transparent HTTPS intercept is the very last thing you should be working on. You need to gets squid working 100% as a formal proxy - and only then start looking at making that work in transparent mode. And you *definitely* want ssl_crtd. -- Cheers Jason Haar Corpor

[squid-users] can anyone see why this ssl-bump config causes squid to crash?

xt" acl DiscoverCONNECTHost at_step SslBump1 acl DiscoverSNIHost at_step SslBump2 ssl_bump peek DiscoverCONNECTHost SSL_https ssl_bump splice HTTPSportButNotHTTPSsites ssl_bump splice NoSSLIntercept ssl_bump splice all sslproxy_cert_error allow HTTPSportButNotHTTPSsites sslproxy_cert_error allo

Re: [squid-users] Fw: 3.5.5 Win x64 SquidTray crash

the installer had added a rule. Yeah - windows firewall is a major pain. Better to turn the darn thing off and rely on something else -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F

Re: [squid-users] problem with some ssl services

o splice on the first bit of evidence that some part needed client certs - even optional) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

[squid-users] confused about ICAP and who's downloading what

t; can mean many things: even how dns lookups occur, ipv6 support,etc) Thanks -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___

Re: [squid-users] confused about ICAP and who's downloading what

On 21/06/15 10:45, Antony Stone wrote: > The former - squid does the download and passes the content to ICAP. Great. So squid does all the network calls and ICAP simply gets to review the content (request and/or response) and potentially change it. Perfect :-) Thanks! -- Cheers Jason H

Re: [squid-users] Questions Regarding Transparent Proxy, HTTPS, and ssl_bump

see www.site.name as the SNI) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users mailing list squid-users@lists.sq

Re: [squid-users] Force LDAP groups to de-authenticate?

rent product - something like pfsense comes to mind -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users maili

Re: [squid-users] SSL-bump and Public Key Piinning (HPKP)

On 6/07/15 2:01 am, Walter H. wrote: reply_header_access Public-Key-Pins deny all but this doesn't really work; is there another way? If you think you can override all pinning options, then I'm afraid you're mistaken. Well written security apps should do their darndest to stop TLS intercept fr

[squid-users] can't get bump to work anymore on 3.5.7?

call hearing that some new code has been introduced that helps squid "magically" figure out whether to even bother bumping some traffic types? Is this related? It smells like squid has already decided to not bump: based on it's own logic more than the config? (ie is my config

Re: [squid-users] can't get bump to work anymore on 3.5.7?

es (eg Skype). It just seems like it's currently limited to default splice, with bumping explicit things? (which I can't believe is useful) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9

Re: [squid-users] can't get bump to work anymore on 3.5.7?

who deliberately brings up a SSLv2 system in order to subvert my assumption is welcome to - try finding a web browser that will talk to it :-). People who bash their way through multiple layers of browser warning popups/etc in order to get infected are out of scope ;-) Thanks again for your he

Re: [squid-users] can't get bump to work anymore on 3.5.7?

On 20/08/15 12:42, Jason Haar wrote: > So now I can: > > 1. ###dynamically whitelist/splice non-SNI traffic via it's existence > (commented because it didn't work - ended up splicing everything) > Figured that one out: ".*" is a file - .* is a regex :-

Re: [squid-users] can't get bump to work anymore on 3.5.7?

ell calls - not a good look) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users mailing list squid-users@lists.squid-c

Re: [squid-users] Dropbox and GoogleDrive apps won't connect with SSLBump enabled

ept is bleak -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users mailing list squid-users@lists.squid-ca

Re: [squid-users] 3.5.8 — SSL Bump questions

g format, log parsers would skip all PEEKED/CONNECT lines as redundant (although they're useful for us humans) Yeah, it would break existing logging tools - but so does the "GET https://..."; stuff anyway - so they need updating too ;-) -- Cheers Jason Haar Corporate Informati

Re: [squid-users] Problems with wpad in Squid3

; Expire > 900 ); Negative Cache TTL > ; > @INNS dns1.cmb.emprea.com > <http://dns1.cmb.emprea.com>. > @INMX 10 webmail.cmb.emprea.com > <http://webmail.cmb.emprea.com>. > ... > proxyINA192.

Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/

es it and it mostly works. -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users mailing list squid-users@l

Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/

ating and there's no obvious signs of a cert error - so I can't figure out what is going wrong. I've manually downloaded the server cert using "openssl s_client" and the cert chain validates just fine - so what is squid doing to it? Weird... -- Cheers Jason Haar Corporat

Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/

g..OO.N.H0F.!.~F.n# Y..&^.v.x.+!..n..J@9.[.J.C.1.L5.(.%%..9.. Signature Algorithm: sha256WithRSAEncryption Fake: X509v3 Basic Constraints: CA:FALSE Signature Algorithm: sha256WithRSAEncryption -- Cheers Jason Haar Corporate Informa

Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/

o I don't think it's actually got anything to do with the CA itself) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __

Re: [squid-users] Ssl-Bump and revoked server certificates

ult directly (ie I'm making sure revoked certs are never bumped) But this is a bug in squid - this means untrustworthy certs become trusted again - not a good look -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint:

Re: [squid-users] Ssl-Bump and revoked server certificates

ection and instead splice it. End result is squid only bumps sessions it can successfully and safely bump, and applications like Gtalk, Skype, and regex-whitelisted sites work without human intervention - leaving only cert pinning as the only manual process (because these cannot be detected

Re: [squid-users] Ssl-Bump and revoked server certificates

ogrammer - so I'd rather someone more competent did it if possible ;-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ s

Re: [squid-users] Safari 9 vs. SSL Bump

the CAs used by those sites - thus causing the problem you see? Certainly matches the symptoms -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 84

Re: [squid-users] debug skype ssl_bump numeric ips to be spliced

On 15/10/15 14:25, Amos Jeffries wrote: > All those lines imply is a certificate verify problem inside the SSL > library. Would it be possible to put the ip:port in those error messages? Would certainly help answer those questions... -- Cheers Jason Haar Corporate Information Security M

Re: [squid-users] Safari 9 vs. SSL Bump

;> >>>>>> I’m using Squid 3.5.10 and this is my current config: >>>>>> https://gist.github.com/djch/9b883580c6ee84f31cd1 >>>>>> >>>>>> Anyone have any idea what I can try? >>>>> You can try bump at ste

Re: [squid-users] Safari 9 vs. SSL Bump

eckIfHTTPS ssl_bump splice !SNIpresent ssl_bump splice NoSSLIntercept ssl_bump bump is_ssl -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 _

Re: [squid-users] Safari 9 vs. SSL Bump

t; k=/System/Library/Keychains/X509Anchors > /dev/null 2>&1 || true The "ipsec/smime" stuff is actually not needed - but I don't care ;-) I went for the carpet bombing approach for the Mac (which I don't know well) -- Cheers Jason Haar Corporate Information Security M

Re: [squid-users] HTTP performance hit with Squid

fast in client browser. Could that be DNS? Is the server configured to use valid DNS servers? Check each of them yourself to see what their response times are like, eg time nslookup some.valid.site.that.isn't.in.cache maybe you'll see 2sec show up on one of them... -- Cheers Jason Haa

[squid-users] using splice just to improve TLS SNI logging

hat HTTPS sites have been visited when I need to. Does going "splice" mode avoid all the potential SSL/TLS issues surrounding bump? ie it won't care about client certs, weird TLS extensions, etc? (ie other than availability, it shouldn't introduce a new way of failing?) Th

[squid-users] Host header forgery affects pure splice environment too?

d off intercept and successfully used TOR, it must have cached a bunch of things because I then re-enabled intercept and it's no longer making any tcp/443 connections - it goes straight out on other "native" TOR ports. So it may be this can only be tested on a fresh install (or after so

Re: [squid-users] Host header forgery affects pure splice environment too?

acl SSL_https port 443 ssl_bump splice SSL_https -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 signature.asc Description: OpenPGP digital signat

Re: [squid-users] Host header forgery affects pure splice environment too?

" output and looking at what cache.log says about > the state of the request that is being checked and failing. I think we know what the problem is: TOR is making TLS connections (I don't know if they're HTTPS) on port 443 and uses SNI names that aren't real? -- Cheers Jaso

Re: [squid-users] problem with squidGuard redirect page after upgrading squid

s that allowed for rapid searching for matches - is this done within squid now? (presumably it wasn't some time ago?). If so, is that done in memory or via the acl files? (ala SG) - the former means a much slower squid startup? Thanks -- Cheers Jason Haar Corporate Information Security Manag

[squid-users] confused over ipv6 failing on ipv4-only network

down. Please try the request again. Your cache administrator is webmaster. -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __

Re: [squid-users] confused over ipv6 failing on ipv4-only network

On 06/01/16 17:39, Amos Jeffries wrote: > On 6/01/2016 5:04 p.m., Jason Haar wrote: >> Hi there >> >> Weird - several times in the past couple of months I have found I cannot >> get to http://wiki.squid-cache.org/ - I get the error below from my >> squid-3.5.11 se

[squid-users] how to generate errors when blocking https urls in transparent with peek+splice mode

ng nice error messages on the CONNECT case? I doubt there could be anything better without going full bump This is CentOS6 with iptables for transparent 443 and squid-3.5.10 -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint:

Re: [squid-users] confused over ipv6 failing on ipv4-only network

On 06/01/16 19:29, Jason Haar wrote: >> This just means that IPv6 was the *last* thing tried. It is entirely >> > probable that IPv4 were tried first and also failed. Particularly if you >> > have dns_v4_first turned on. > No - I don't have dns_v4_first defined a

Re: [squid-users] problem with squidGuard redirect page after upgrading squid

tead of <1sec). I'd say "outsourcing" this kind of function to another process (such as url_rewriter or ICAP) still has it's advantages ;-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 48

Re: [squid-users] problem with squidGuard redirect page after upgrading squid

gex" acl type - so regex it is (can't use dstdomain because we want to block "http://good.site/bad.url"; - not all of "good.site") -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7

Re: [squid-users] problem with squidGuard redirect page after upgrading squid

e scraping are you also filtering for duplicates and reducing > multiple URLs in one doman down to fewer entries? Yeah - no dupes - but no manually reading to figure out patterns either. That would take a human eye - and I want set-and-forget automation -- Cheers Jason Haar Corporate Informa

[squid-users] host header forgery false positives

: on URL: live.github.com:443 2016/01/12 13:03:59.200 kid1| SECURITY ALERT: Host header forgery detected on local=192.30.252.92:443 remote=192.168.0.7:46647 FD 275 flags=33 (local IP does not match any domain IP) 2016/01/12 13:03:59.200 kid1| SECURITY ALERT: on URL: live.github.com:443 -- Cheers Ja

Re: [squid-users] https full url

network-based security like content filtering proxies find it hard to keep up as they have become the enemy (because they can be used for evil as well as good). -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP

[squid-users] any way to get squid-4 compiled on CentOS-6?

o has anyone figured out how to get squid-4 working on such older systems? Thanks -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D

[squid-users] howto log outbound bytes properly?

or catching outbound bytes for CONNECT? Thanks! -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 <>___ squid-users mailing

Re: [squid-users] host header forgery false positives

https specific? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.s

[squid-users] getting sslbump cert errors on major sites

squidCA.cert capath=/etc/ssl/certs/ so this means the CA's Ubuntu lists in /etc/ssl/certs/ is "out of date" compared with Firefox? Really a rhetorical question, just kinda wanting to know about where sslbump will run into trouble, etc :-) -- Cheers Jason Haar Corporate Informati

Re: [squid-users] transparent proxy https and self signed certificate error

ere are less and less sites that sslbump can work on. I wanted to use sslbump so that we could run AV and filtering on https links, but pinning means our "exclude list" of https sites is getting larger and larger - and includes Cloud providers the badguys are housing their malware on -

[squid-users] squid not liking dnscache for some hosts?

is matching dropboxusercontent.com against acl lists and NOT getting a match (as expected) - it doesn't seem to show DNS debugging? Any ideas? Thanks -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9

Re: [squid-users] squid not liking dnscache for some hosts?

- great... Strangely enough, I just checked and now it's all working (AAA resolves to CNAME which resolves to A records). I wonder if there's a Dropbox engineer on this mailing-list...? ;-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1

Re: [squid-users] Squid 2.7 STABLE8 (Win2008) can't get my MS Lync 2013 to work?

x27;re tracking them: that means they're less likely to go to dodgy sites/etc on company time :-) -- Cheers Jason Haar ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid-3.4.8 sslbump breaks facebook

side.cc(3906) getSslContextStart: Cached SSL certificate for /C=US/ST=CA/L=Menlo Park/O=Facebook, Inc./CN=*.facebook.com+Sign=signTrusted is valid 2014/10/16 18:40:17.956 kid1| ctx: enter level 0: 'www.facebook.com:443' 2014/10/16 18:40:17.956 kid1| HttpHeader.cc(1531) ~HttpHeaderEntry: destroying en

Re: [squid-users] squid-3.4.8 sslbump breaks facebook

On 16/10/14 20:54, Jason Haar wrote: > I also checked the ssl_db/certs dir and > removed the facebook certs and restarted - didn't help let me rephrase that. I deleted the dirtree and re-ran "ssl_crtd -s /usr/local/squid/var/lib/ssl_db -c" - ie restarted with an empty cach

Re: [squid-users] squid-3.4.8 sslbump breaks facebook

t; Please test it and report any problem. > > Regards, > Christos > > > > On 10/16/2014 12:14 PM, Amm wrote: >> >> On 10/16/2014 02:35 PM, Jason Haar wrote: >>> On 16/10/14 20:54, Jason Haar wrote: >>>> I also checked the ssl_db/certs dir

[squid-users] infinite loop on using SSL to connect to squid with ssl-bump

I'm simply missing something, any suggestions? Thanks! -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squ

Re: [squid-users] infinite loop on using SSL to connect to squid with ssl-bump

On 21/10/14 12:24, Alex Rousskov wrote: > On 10/20/2014 04:22 PM, Jason Haar wrote: > >> Both Chrome and Firefox support talking to proxies using SSL (wpad type >> "HTTPS" instead of "PROXY"). > I did not know that support was added to major browsers. Any

[squid-users] could sslbump handle client certs better?

ly be like me and purely interested in using sslbump for enabling SSL content filtering, and I really doubt we'll be seeing many viruses via client-cert protected https any time soon ;-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 48

[squid-users] sslbump working with 3.4.9 but not in intercept mode?

Intercept_sites dstdom_regex "/etc/squid/SSL_noIntercept_sites.txt" ssl_bump none SSL_nonHTTPS_sites ssl_bump none SSL_noIntercept_sites ssl_bump server-first all So these older search-engine pages I came across claimed this should work with squid, but either I am missing something, or this doesn't work

Re: [squid-users] sslbump working with 3.4.9 but not in intercept mode?

19332 KB 207% Total free:67 KB 1% 2014/11/10 23:20:43 kid1| storeDirWriteCleanLogs: Starting... 2014/11/10 23:20:43 kid1| Finished. Wrote 9466 entries. 2014/11/10 23:20:43 kid1| Took 0.01 seconds (732549.14 entries/sec). 2014/11/10 23:20:46 kid1| Set Current Director

Re: [squid-users] sslbump working with 3.4.9 but not in intercept mode?

is active. Inferior 1 [process 29756] will be killed. Quit anyway? (y or n) y -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___

Re: [squid-users] sslbump working with 3.4.9 but not in intercept mode?

4:09 kid1| storeDirWriteCleanLogs: Starting... 2014/11/11 00:14:09 kid1| Finished. Wrote 9479 entries. 2014/11/11 00:14:09 kid1| Took 0.04 seconds (240455.59 entries/sec). 2014/11/11 00:14:12 kid1| Set Current Directory to /var/spool/squid 2014/11/11 00:14:12 kid1| Starting Squid Cache ve

Re: [squid-users] sslbump working with 3.4.9 but not in intercept mode?

t; The attached patch should fix the crash. > > Amos -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users mai

[squid-users] https intercept breaks non-HTTPS port 443 traffic?

25): error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (1/-1/0) At the very least, with that I could have a cronjob grep through my cache.log to auto-create a "bump none" acl ;-) Thanks -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. P

[squid-users] connecting directly to ssl-bump intercept port causes runaway CPU

L_noIntercept_sites dstdom_regex "/etc/squid/SSL_noIntercept_sites.txt" ssl_bump none SSL_nonHTTPS_sites ssl_bump none SSL_noIntercept_sites ssl_bump server-first all sslproxy_cert_error allow SSL_nonHTTPS_sites sslproxy_cert_error allow all -- Cheers Jason Haar Corporate Information Security Ma

Re: [squid-users] connecting directly to ssl-bump intercept port causes runaway CPU

ke - no data needs to flow for the fault to trigger. If I call "curl http://proxy.server:3127"; it also triggers the runaway CPU (3127 being my https intercept port of course). Thanks -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481

Re: [squid-users] connecting directly to ssl-bump intercept port causes runaway CPU

till works for anything else. Now squid never sees the direct 3127 connection and so never goes into a loop Jason -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB

[squid-users] OT: why does openssl-1.0.1f not like https://www.bnz.co.nz/?

y" in certain error conditions and basically workaround this kind of issue) Thanks -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___

Re: [squid-users] OT: why does openssl-1.0.1f not like https://www.bnz.co.nz/?

ight now the Bank of New Zealand doesn't support TLSv1.1, let alone TLSv1.2! -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __

Re: [squid-users] Centralized Squid - design and implementation

sn't going to help. But if WPAD knows that a WAN-connected proxy is still working - why not point your users at that instead We've been doing this for 10+ years, 99% of the time it's never needed, but when it's needed, it works :-) -- Cheers Jason Haar Corporate Information

Re: [squid-users] Centralized Squid - design and implementation

n the Internet for our staff to use (authenticated of course!) - WPAD makes that something we could implement with no client changes - pretty cool :-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CA

Re: [squid-users] Authentication\Authorization using a PAC file?

uot;). That sort of put an end to that experiment, as I was anticipating a standalone account database with randomly generated 20char passwords :-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8

[squid-users] odd wccp issue affecting only some web servers

a normal proxy Any ideas how to diagnose this, or is this a "that was fixed in a newer version that your OS vendor doesn't support" kind of problem ;-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phon

Re: [squid-users] Running SCCM through Squid

e're looking at doing the same thing using client certs and will probably use stunnel (instead of laying the SCCM server bare-assed on the Internet) Jason -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407

[squid-users] anyone transparently proxying ipv6?

Is anyone successfully transparently proxying ipv6 traffic? Can TPROXY be used over WCCP? Thanks! -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __

Re: [squid-users] odd wccp issue affecting only some web servers

ALLOW" in iptables (everything else being correct and eyeballed as "good") and simply didn't work as a transparent proxy! As it was only 1 of 3, we had "some sites worked, some didn't". :-) Fixed ;-) -- Cheers Jason Haar Corporate Information Security Manage

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

certainly like to take a look at it too However, you say "SSL" - did you mean "HTTPS"? ie discovering a ip:port is a IMAPS server doesn't really help squid talk to it - surely you want to discover HTTPS servers - and everything else should be pass-through/splice? -- Cheer

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

g any HTTPS site using cloudfront.net is in that category. Of course it still works - but in passthrough mode - which isn't the outcome we're after. I'm going to have to look at squid-3.5 ;-) -- Cheers Jason Haar Corporate Information Security Man

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

TPS requests from web browsers - the 0.1% remaining SSL traffic can slip through the cracks for all I care ;-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

you expect to feed this NIDS data back into squid? I think you'd find you'd need an external acl check to do that bit anyway :-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0

Re: [squid-users] proxy pac files issues

en it's not a WPAD problem (I'm not sure about me mentioning Chrome, it's just that I know Google designed Chrome to use the same OS settings that MSIE does when it can - so any bug/issue with those libraries could affect Chrome if they affect MSIE) -- Cheers Jason Haar Corporat

Re: [squid-users] [squid-announce] Squid 3.5.1 is available

o a HTTPS server, then to bump that and splice anything else. So having the usage example reflecting that makes sense -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6

Re: [squid-users] google always requesting captach through transparent proxy

say is that most of us squid users don't see what you are seeing -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ sq

  1   2   >