Thanks alex, made this one on squid 4.10
acl TestFinger server_cert_fingerprint
77:F6:8D:C1:0A:DF:94:8B:43:1F:8E:0E:91:5E:0C:32:42:8B:99:C9
acl ssl_step1 at_step SslBump1
acl ssl_step2 at_step SslBump2
acl ssl_step3 at_step SslBump3
ssl_bump peek ssl_step2
ssl_bump splice ssl_step3 TestFinger
ssl_bump stare ssl_step2 all
ssl_bump bump all
But no luck, website still decrypted.
Le 13/05/2020 à 21:33, Alex Rousskov a écrit :
On 5/12/20 7:42 AM, David Touzeau wrote:
ssl_bump peek ssl_step1
ssl_bump splice TestFinger
ssl_bump stare ssl_step2 all
ssl_bump bump all
Seems TestFinger Acls did not matches in any case
You are trying to use step3 information (i.e., the server certificate)
during SslBump step2: The "splice TestFinger" line is tested during
step2 and mismatches because the server certificate is still unknown
during that step. That mismatch results in Squid staring during step2.
The "splice TestFinger" line is not tested during step3 because splicing
is not possible after staring. Thus, Squid reaches "bump all" and bumps.
For a detailed description of what happens (and what information is
available) during each SslBump step, please see
https://wiki.squid-cache.org/Features/SslPeekAndSplice
Also, if you are running v4.9 or earlier, please upgrade. We fixed one
server_cert_fingerprint bug, and that fix became a part of the v4.10
release (commit e0eca4c).
HTH,
Alex.
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
