By the help of God. If I'm using the self signed certificate that I created for the ssl bump, then the browser considers it as the same certificate for any domain I'm connecting to?
בתאריך יום ג׳, 22 בפבר׳ 2022 ב-7:35 מאת Eliezer Croitoru < ngtech1...@gmail.com>: > Thanks Christos, > > I was aware of such things but haven't seen such a case. > Is there any way to "reproduce" this? > I believe it should be documented in the wiki. > > Thanks, > > ---- > Eliezer Croitoru > NgTech, Tech Support > Mobile: +972-5-28704261 > Email: ngtech1...@gmail.com > > -----Original Message----- > From: squid-users <squid-users-boun...@lists.squid-cache.org> On Behalf > Of Christos Tsantilas > Sent: Monday, February 21, 2022 11:41 > To: squid-users@lists.squid-cache.org > Subject: Re: [squid-users] Splice certain SNIs which served by the same IP > > Hi Ben, > > When HTTP/2 is used, requests for two different domains may served using > the same TLS connection if both domains are served from the same remote > server and use the same TLS certificate. > There is a description here: > https://daniel.haxx.se/blog/2016/08/18/http2-connection-coalescing/ > > And a similar problem report here: > https://bugs.chromium.org/p/chromium/issues/detail?id=1176673 > > Regards, > Christos > > > On 14/2/22 3:49 μ.μ., Ben Goz wrote: > > By the help of God. > > > > Hi, > > Ny squid version is 4.15, using it on tproxy configuration. > > > > I'm using ssl bump to intercept https connection, but I want to splice > > several domains. > > I have a problem that when I'm splicing some google domains eg. > > youtube.com <http://youtube.com> then > > gmail.com <http://gmail.com> domain also spliced. > > > > I know that it is very common for google servers to host multiple > > domains on single server. > > And I suspect that when I'm splicing for example youtube.com > > <http://youtube.com> it'll also splices google.com <http://google.com>. > > > > Here are my squid configurations for the ssl bump: > > > > https_port xxxx ssl-bump tproxy generate-host-certificates=on > > options=ALL dynamic_cert_mem_cache_size=4MB > > cert=/usr/local/squid/etc/ssl_cert/myCA.pem > > dhparams=/usr/local/squid/etc/dhparam.pem sslflags=NO_DEFAULT_CA > > > > acl DiscoverSNIHost at_step SslBump1 > > > > acl NoSSLIntercept ssl::server_name "/usr/local/squid/etc/url-no-bump" > > acl NoSSLInterceptRegexp ssl::server_name_regex -i > > "/usr/local/squid/etc/url-no-bump-regexp" > > ssl_bump splice NoSSLInterceptRegexp_always > > ssl_bump splice NoSSLIntercept > > ssl_bump splice NoSSLInterceptRegexp > > ssl_bump peek DiscoverSNIHost > > ssl_bump bump all > > > > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
