On Sun, 2017-11-26 at 09:50 +0200, Alex K wrote: > Perhaps an alternative is to peek only on step1: > > acl step1 at_step SslBump1 > > ssl_bump peek step1 > acl allowed_https_sites ssl::server_name_regex > "/opt/etc/squid/http_url.txt" > ssl_bump splice allowed_https_sites > ssl_bump terminate all Hrmm...wouldn't that negate the ability to read the cert on step2? In layman's terms I'm thinking: "peek at step1" "splice acl allow matched sni's" "peek at step2" "splice acl allow'd matched certs" "terminate the rest" Would that work Amos?
> On Nov 25, 2017 14:46, > "James Lay" <j...@slave-tothe-box.net> wrote: > > On Sun, 2017-11-26 at 01:33 +1300, Amos Jeffries wrote: > > > On 26/11/17 00:52, James Lay wrote: > > > > > > > > > > > On Sat, 2017-11-25 at 23:48 +1300, Amos Jeffries wrote: > > > > > > > > > > > > > > On 25/11/17 08:30, James Lay wrote: > > > > > > > > > > > > > > > > > Topic says it...this setup has been working well for a long time, > > > > > > but > > > > > > now there are some sites that are failing the TLS handshake. > > > > > > Here's > > > > > > my setup: acl localnet src 192.168.1.0/24 acl SSL_ports port 443 > > > > > > acl > > > > > > acl SSL_ports port 443 acl > > > > > > Safe_ports port 80 acl Safe_ports port 443 acl CONNECT method > > > > > > CONNECT > > > > > > acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt" > > > > > > http_access deny !Safe_ports http_access deny CONNECT !SSL_Ports > > > > > > http_access allow SSL_ports http_access allow allowed_http_sites > > > > > > http_access deny all ssl_bump peek all acl allowed_https_sites > > > > > > ssl::server_name_regex "/opt/etc/squid/http_url.txt" ssl_bump > > > > > > splice > > > > > > allowed_https_sites ssl_bump terminate all > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Because you have "peek all" being performed the transaction MUST pass > > > > > your regex patterns with both TLS SNI from the client *and* the server > > > > > certificate SubjectName values. Either one not matching will perform > > > > > that "terminate all" on the TLS handshake. > > > > > > > > > > > > > > > > > > > > > > Thanks Amos...do you have a suggestion for changing this to match one > > > > or > > > > the other instead of both? > > > > > > > > > > > > > Doing the splice check before the peek should do that. First one of the > > > server_names data sources to match will then splice and non-matches fall > > > through to either peek or terminate if no more peeking possible. > > > > > > Amos > > > > > > > Perfect..I've modded my lines with: > > > > acl broken_https_sites ssl::server_name_regex > > > > "/opt/etc/squid/broken_url.> > txt" > > ssl_bump splice broken_https_sites > > ssl_bump peek all > > acl allowed_https_sites ssl::server_name_regex "/opt/etc/squid/http_url.txt" > > ssl_bump splice allowed_https_sites > > ssl_bump terminate all > > Hopefully that fixes these up. Another site besides the the one this > > thread is fbcdn.net. Again, these DID work, but something within the last > > month has changed...guessing Facebook and Elder Scrolls Online have added > > additional TLS security. Thanks as always Amos. > > > > James > > ______________________________> > _________________ > > > > squid-users mailing list > > squid-users@lists.squid-cache.org > > http://lists.squid-cache.org/listinfo/squid-users > > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
