On 20/08/2014 1:12 p.m., Eliezer Croitoru wrote:
> I wasn't sure but I am now.
> You are doing something wrong and I cannot tell what exactly.
> Try to share this script output:
> http://www1.ngtech.co.il/squid/basic_data.sh
>
> There are missing parts in the whole setup such as clients IP and server
> IP, what GW are you using etc..
>
> Eliezer
Probably expecting DNS based forgery to hijack the connections is the
mistake.
When receiving HTTPS all Squid has to work with are the two TCP packet
IP addresses. If one of them is the client IP and the other is forged by
DNS (unbound), what server is to be contacted?
Hostname from the "accel" hack is buried inside the encryption which has
not yet arrived from the client. So Squid has to decrypt some future
traffic in order to discover what server to contact right now to get the
cert details which need to be emitted in order to start decrypting that
future traffic. Impossible situation.
But Squid is not aware of that, it just uses the TCP packet dst IP
(itself) and tries to get server TLS certificate from there. Entering in
an infinite loop of lookups instead of a useful decryption.
proxyplayer.co.uk;
why are you using unbound for this at all?
Amos
Received on Wed Aug 20 2014 - 07:24:16 MDT
This archive was generated by hypermail 2.2.0 : Thu Aug 21 2014 - 12:00:06 MDT