I have not tried to use SSL bump but with a regular proxy which blocks everything else then the next list of dstdomain: .delivery.mp.microsoft.com (http) .dsp.mp.microsoft.com (http) .download.windowsupdate.com (http) static.edge.microsoftapp.net (HTTPS-connect)
The windows updates works just fine. And as I wrote before, there are two channels: Secure for communication and plain HTTP for data transfer. If you need more help let me know. ---- Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1...@gmail.com On Sun, Mar 16, 2025 at 4:34 PM Doug Tucker <doug.tuc...@navigaglobal.com> wrote: > No, no one responded. > > Doug Tucker > Sr. Director of Networking and Linux Operations > doug.tuc...@navigaglobal.com > ------------------------------ > *From:* NgTech LTD <ngtech1...@gmail.com> > *Sent:* Sunday, March 16, 2025 2:38:35 AM > *To:* Doug Tucker <doug.tuc...@navigaglobal.com> > *Cc:* squid-users@lists.squid-cache.org <squid-users@lists.squid-cache.org > > > *Subject:* Re: [squid-users] windows updates > > You don't often get email from ngtech1...@gmail.com. Learn why this is > important <https://aka.ms/LearnAboutSenderIdentification> > > Naviga WARNING: External email. Please verify sender before opening > attachments or clicking on links. > > Hey, > > Did you manage to find a solution for your use case? > Let me know if you need assistance with this issue. > > Eliezer > ---- > Eliezer Croitoru > Tech Support > Mobile: +972-5-28704261 > Email: ngtech1...@gmail.com > > > On Tue, Mar 4, 2025 at 1:57 AM Doug Tucker <doug.tuc...@navigaglobal.com> > wrote: > > I have read through everything I can find on this subject but still cannot > seem to get around the issue of windows updates not working through the > squid transparent proxy. No matter what I try I continue to see this in > the cache log and windows update will not connect. > > 2025/03/03 23:26:55 kid5| Error negotiating SSL on FD 25: > error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify > failed (1/-1/0) > > I tried adding the info from the following doc to no avail. > > https://wiki.squid-cache.org/SquidFaq/WindowsUpdate > > > The relevant parts of my squid.conf: > > #Handling HTTPS requests > https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept > acl SSL_port port 443 > http_access allow SSL_port > acl allowed_https_sites ssl::server_name "/etc/squid/allowed-sites.txt" > acl step1 at_step SslBump1 > acl step2 at_step SslBump2 > acl step3 at_step SslBump3 > ssl_bump peek step1 all > ssl_bump peek step2 allowed_https_sites > ssl_bump splice step3 allowed_https_sites > ssl_bump terminate step2 all > > #windows update > acl DiscoverSNIHost at_step SslBump1 > acl NoSSLIntercept ssl::server_name_regex -i "/etc/squid/url.nobump" > ssl_bump splice NoSSLIntercept > ssl_bump peek DiscoverSNIHost > ssl_bump bump all > > I ran tcpdump and added every url i could find to the allowed-sites.txt > and added the 2 sites recommended tot he url.nobump. If anyone has gotten > this to work any help would be appreciated. > > > > > > > *Doug Tucker* > Sr. Director of Networking and Linux Operations > > *o:* 817.975.5832 > *e: *doug.tuc...@navigaglobal.com > > > Newscycle Solutions is now Naviga. Learn more. > > > CONFIDENTIALITY NOTICE: The contents of this email message and any > attachments are intended solely for the addressee(s) and may contain > confidential and/or privileged information and may be legally protected > from disclosure. If you are not the intended recipient of this message or > their agent, or if this message has been addressed to you in error, please > immediately alert the sender by reply email and then delete this message > and any attachments. If you are not the intended recipient, you are hereby > notified that any use, dissemination, copying, or storage of this message > or its attachments is strictly prohibite > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > https://lists.squid-cache.org/listinfo/squid-users > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
