Greetings We're using Squid 3.5.19 with ssl bump, and we want to tunnel (not bump) applications such as skype, that use pinned ssl, so we defined an acl for splicing skype's ssl_server_name.
However skype's client app uses client certificates that don't have SNI. The only way to identify skype is its Common Name: *.dc.trouter.io But the Common Name is available only in step3 of ssl bump, where tunneling the connection is no longer possible (as documented in peek and splice step3 docs). What we get is bumping. Is there a way we can tunnel an acl based on Common Name? ty http_port 3127 http_port 3128 intercept https_port 3129 ssl-bump intercept generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem always_direct allow all acl DiscoverSNIHost at_step SslBump1 acl NoSSLIntercept ssl::server_name_regex -i (microsoft|msn|windows|update| skype.com|go.trouter.io|secure.adnxs.compipe.skype.com|skype-m.hotmail.com| mobile.pipe.aria.microsoft.com|edge.skype.com|api.cc.skype.com|a.config.sky pe.com|clientlogin.cdn.skype.com|.dc.trouter.io|ui.skype.com|apps.skype.com| registrar-rr.prod.registrar.skype.com|secure.skypeassets.com|c1.skype.com) ssl_bump splice NoSSLIntercept ssl_bump peek DiscoverSNIHost ssl_bump bump all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 5
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
