RE: [squid-users] SSL_Bump issue

From: Darren Breeze <darrenjbreeze_at_netvigator.com>
Date: Mon, 3 Feb 2014 09:44:33 +0800

Hi

I tried updating the relevant conf lines as:

http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/usr/local/squid3/ssl_cert/myCA.pem

sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 16MB

and tried that, but no change

I then tried the alternet protocol line as suggested but no result.

https://www.facebook.com also skips loading mainly images.

I have all the icap working, but this one is proving to be the roadblock.

thanks for coming back so quick!

Darren B.

-----Original Message-----
From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Sent: Monday, 3 February 2014 8:54 AM
To: squid-users_at_squid-cache.org
Subject: Re: [squid-users] SSL_Bump issue

On 2014-02-03 12:11, Darren Breeze wrote:
> Hi
>
> I am writing an icap application to do https intercept for a local
> application. I have used Squid 3.4.2 setup ssl_bump as follows:
>
<snip>

> However, some of the news story thumbnails are failing to load as they
> are being loaded off another https server eg.
>
> https://lh3.googleusercontent.com/-TrtEHOgcMFE/AAAAAAAAAAI/AAAAAAAAAAA
> /K547x
> _dy1bY/s32/photo.jpg
>
> other urls load ok coming off various servers eg.
>
> https://t2.gstatic.com/images?q=tbn:ANd9GcQEUL_w18SM0m00j_JjU0KhoxaQ0M
> mrovPP V8-w_RclRK6RslWtD6ZUOmTfkOVu6dTnjbAUbeQ
>
> I am guessing that squid would have to manage a large list of server
> certs just to load this page and there is some limit I need to set
> higher?
>

Maybe. It would be the cert cache size (currently 4MB) if so.

Also, Google servers emit a header to make the browsers (Chrome in
particular) move away from HTTP to their experimental transfer protocols. You could try:

   reply_header_access Alternate-Protocol deny all

Amos
Received on Mon Feb 03 2014 - 01:44:46 MST

This archive was generated by hypermail 2.2.0 : Mon Feb 03 2014 - 12:00:04 MST