Hello Daniel, Yuri
May be you could dump your whole squid.conf here (please remove any sensitive details). I still cannot understand once Squid has the target server hostname from SNI - where is the acl/rule in squid.conf that can be used with this info present? Best regards, Rafael ________________________________ From: squid-users <squid-users-boun...@lists.squid-cache.org> on behalf of Daniel Greenwald <d...@digcorp.net> Sent: Monday, January 26, 2015 5:39 AM To: Yuri Voinov Cc: squid-users@lists.squid-cache.org Subject: Re: [squid-users] Why 3.5.0.4 generates mimicked certs with server IP only when bumping? Thank you Amos, Based on your explanation I was able to make bumping work for transparent with no browser errors in 3.5.1 by using the following. If I understand correctly, this is actually whats required to mimic the behavior of pre 3.5 (sslbump server-first all) : acl step1 at_step SslBump1 acl step2 at_step SslBump2 ssl_bump peek step1 all ssl_bump server-first step2 all Hope that helps Yuri or any one else with this issue. PS So far this is working great for eg gmail.com<http://gmail.com> which in previous version would throw browser errors! ----------- Daniel I Greenwald On Fri, Jan 9, 2015 at 2:51 PM, Yuri Voinov <yvoi...@gmail.com<mailto:yvoi...@gmail.com>> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 How can that be? All HSTS sites cry with 3.5 bump option - they don't like host IP as CN, other sites behaviour depending they (and browsers) settings. Is it possible to keep server-first behaviour in 3.5.x ? WBR, Yuri 09.01.2015 16:57, Amos Jeffries ?????: > On 9/01/2015 11:45 p.m., Yuri Voinov wrote: > > > I have working production 3.4.10 with working ssl bumping. > > > Config was the same as working 3.4.10. I've just want to take a > > look on new release. > > > in squid.documented said, than backward compatibility server-first > > and none options for ssl_bump are kept. > > > But: > > > Neither works with old syntax, nor new. > > > Looks like target https hosts not resolved and bump got only IP. > > The config values are still accepted, but there is an extra bumping > stage now before the SNI is available. > > You are wanting to peek at stage 1 (to get the client SNI details) and > server-first/splice at stage 2 (using the domain). Otherwise All Squid > works with when intercepting are the TCP IPs. > > Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJUsDE9AAoJENNXIZxhPexGl+MH/2wEV5rEDSb6eQ5KRbHI8ZJ4 WV0fdTg7yFR+bfWCUYzjVovQhrx0gaIFLNWvuwDbc62zJJnvADQuAzu7chouafkP wpGuBjjp3jYZWa1TlZN4XoDeK2THswXau/5kY9P7IKKAJu9VjhjII803ywn5C8DW 48NQWU0Uhs86Tr6XAuaRzUYZK6lht0VcJFKiftmKmOE7Rl7+Yy/Kak1zXxLh8mzX a8N0DSsSlBqIm7s8yngwWQuf8rQ0tlwrKWNSpCL3xD6Wk0MFwhRqe6Vbncj4sbff p0OifMf0YD5sbytsUq4OO5HOdO7WPu+foB2AMKSiou5cDMqz5Vcnw0mD35t25Fg= =OEZu -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org<mailto:squid-users@lists.squid-cache.org> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
