Re: [squid-users] Re: squid with qlproxy on fedora 20 not working for https traffic

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Sat, 14 Jun 2014 11:12:07 -0600

On 06/13/2014 09:10 PM, Amos Jeffries wrote:
> On 14/06/2014 1:23 p.m., MrErr wrote:
>> Does this mean that dstdomain does not work with ssl-bump?

> Yes and no. It works with CONNECT bumping in regular proxy traffic.

... unless the browser uses IP addresses in CONNECT requests (some do)
or the user types in (or clicks on a link with) an IP address instead of
a domain name (rare and does not work well for the user even without
SslBump, but does happen in reality so be ready for it).

> It does not work on intercepted port 443 traffic reliably.

In summary, bumping SSL does not and cannot work reliably in most
environments. There will always be broken cases despite our continuing
efforts to minimize SslBump invasiveness. If user happiness is
important, be prepared to babysit your Squid and add low-level
(TCP/IP-based) exceptions.

>> My other reason for not using "ssl-bump server-first all" is that the kindle
>> fire stops working. I read that it was because of something called ssl
>> pinning. So i do need to get some kind of targeted bumping to happen.
>>
>
> HSTS probably. And yes those sites bumping does not work for.

There is also bug 3966 that affects some sites, including
Google-affiliated sites, in some environments:
http://bugs.squid-cache.org/show_bug.cgi?id=3966

Cheers,

Alex.
Received on Sat Jun 14 2014 - 17:12:22 MDT

This archive was generated by hypermail 2.2.0 : Sun Jun 15 2014 - 12:00:04 MDT