Re: [squid-users] disable ssl client renegotiating
I have create a patch to add openssl modifying options not include diff -Naur squid-3.4.1/src/ssl/support.cc squid-3.4.1- patched/src/ssl/support.cc --- squid-3.4.1/src/ssl/support.cc 2013- 12-09 02:20:54.0 +0100 +++ squid-3.4.1-patched/src/ssl/support. cc 2014-03-20 15:58:05.200506356 +0100 @@ -488,6 +488,21 @@ No_Compression, SSL_OP_NO_COMPRESSION }, #endif +#if SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION +{ + ALLOW_UNSAFE_LEGACY_RENEGOTIATION, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION +}, +#endif +#if SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION +{ + NO_SESSION_RESUMPTION_ON_RENEGOTIATION, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION +}, +#endif +#if SSL_OP_LEGACY_SERVER_CONNECT +{ +LEGACY_SERVER_CONNECT, SSL_OP_LEGACY_SERVER_CONNECT +}, +#endif { , 0 }, but when I'm using that on https_port options or sslproxy_options they are not considered. Any idea? Thank you
[squid-users] duplicating a post request
hello, any chance to implement a configuration that will forward the same post request from a user to two different servers at the same time? using squid 3.3 thanks.
Re: [squid-users] duplicating a post request
On 03/24/2014 02:21 PM, Yuri Levin wrote: hello, any chance to implement a configuration that will forward the same post request from a user to two different servers at the same time? using squid 3.3 thanks. What exactly is the issue? I do not seem to understand what you want or need. Please try to describe the issue with more words. Eliezer
Re: [squid-users] Intercept HTTPS with dynamic certificate for clients
Hi all, I get on the web browsers : Code d'erreur : sec_error_unknown_issuer Can someone help me ? Le 19 mars 2014 à 08:53, Emmanuel LAZARO - S.IM.KO. em.laz...@simko.fr a écrit : Hi all, I am using Squid 3.4.4 on debian wheezy compiling the sources. I am trying to configure squid as a transparent proxy using : https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/CertifSignature/SquidServeurVeriSign.pem key=/etc/squid3/CertifSignature/Squid.key The SquidServeurVeriSign.pem have been signed by verisign. How can i avoid the alerts on firefox or safari (i am in a mac osx environment) because the alerts are spoting on every https pages : Connexion not certified You asked firefox to connect... we can't confirm the connexion is secured...website identity can't be verified. Sry for the translation... Can someone help me ? NB : I imported the root certificate in my firefox. -- LAZARO Emmanuel
Re: [squid-users] Intercept HTTPS with dynamic certificate for clients
Hi again, In addition i can say this problem (sec_error_unknown_issuer) appears when i am using a real certificate from verisign who is well known by the web browser. I readed here : http://squid-web-proxy-cache.1019090.n4.nabble.com/Need-help-on-SSL-bump-and-certificate-chain-td4659421.html That i can't do what i want with a signed certificate from a known authority. So i try using a self signed certificate but it doesn't work with the error : sec_error_untrusted_issuer Le 24 mars 2014 à 11:48, Emmanuel LAZARO - S.IM.KO. em.laz...@simko.fr a écrit : Hi all, I get on the web browsers : Code d'erreur : sec_error_unknown_issuer Can someone help me ? Le 19 mars 2014 à 08:53, Emmanuel LAZARO - S.IM.KO. em.laz...@simko.fr a écrit : Hi all, I am using Squid 3.4.4 on debian wheezy compiling the sources. I am trying to configure squid as a transparent proxy using : https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/CertifSignature/SquidServeurVeriSign.pem key=/etc/squid3/CertifSignature/Squid.key The SquidServeurVeriSign.pem have been signed by verisign. How can i avoid the alerts on firefox or safari (i am in a mac osx environment) because the alerts are spoting on every https pages : Connexion not certified You asked firefox to connect... we can't confirm the connexion is secured...website identity can't be verified. Sry for the translation... Can someone help me ? NB : I imported the root certificate in my firefox. -- LAZARO Emmanuel
Re: [squid-users] Intercept HTTPS with dynamic certificate for clients
Hi all, Problem solved using regenerating all certificates with this : http://www.mydlp.com/how-to-configure-squid-3-2-ssl-bumping-dynamic-ssl-certificate-generation/ Adding public.pem in the browser removed alerts. Le 24 mars 2014 à 12:29, Emmanuel LAZARO - S.IM.KO. em.laz...@simko.fr a écrit : Hi again, In addition i can say this problem (sec_error_unknown_issuer) appears when i am using a real certificate from verisign who is well known by the web browser. I readed here : http://squid-web-proxy-cache.1019090.n4.nabble.com/Need-help-on-SSL-bump-and-certificate-chain-td4659421.html That i can't do what i want with a signed certificate from a known authority. So i try using a self signed certificate but it doesn't work with the error : sec_error_untrusted_issuer Le 24 mars 2014 à 11:48, Emmanuel LAZARO - S.IM.KO. em.laz...@simko.fr a écrit : Hi all, I get on the web browsers : Code d'erreur : sec_error_unknown_issuer Can someone help me ? Le 19 mars 2014 à 08:53, Emmanuel LAZARO - S.IM.KO. em.laz...@simko.fr a écrit : Hi all, I am using Squid 3.4.4 on debian wheezy compiling the sources. I am trying to configure squid as a transparent proxy using : https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/CertifSignature/SquidServeurVeriSign.pem key=/etc/squid3/CertifSignature/Squid.key The SquidServeurVeriSign.pem have been signed by verisign. How can i avoid the alerts on firefox or safari (i am in a mac osx environment) because the alerts are spoting on every https pages : Connexion not certified You asked firefox to connect... we can't confirm the connexion is secured...website identity can't be verified. Sry for the translation... Can someone help me ? NB : I imported the root certificate in my firefox. -- LAZARO Emmanuel
[squid-users] need help with ubuntu upgrade procedure
Greetings, I'm running squid 3.3.8 on ubuntu 14.04 and I am having an issue filtering https with google groups. this is my first time performing a squid install on ubuntu. it appears that the repository version is stuck at 3.3.8 and the docs from their location are stuck on ubuntu 12.04. So, I read the change logs and saw numerous ssl fixes between 3.3.8 - 3.4.x How do I manually upgrade this package ? http://www.ubuntuupdates.org/package/core/trusty/universe/base/squid thanks for any assistance -j
[squid-users] qos_flow.
Hi. Trying to understand squid qos_flows feature, I had been reading a lot, but hadn't found any specific info/howto with clarify examples. How can I use qos_flows in my fw? I had try delay_pools, now I want to learn this other feature. Anyone with a example for a noob willl be appreciated. Working with squid 3.1.x, thanks.
[squid-users] Re: need help with ubuntu upgrade procedure
Dunno about install/upgrade of squid-package on Ubuntu, but always installed my squid on ubuntu from src. As you have a running version already, you only should backup squid.conf to another location to be used with new squid. Do a squid -v to note actual configure-options, to be used for new squid as well. And copy /etc/init.d/squid to a safe location, also to be used for your new squid later on. You might now deinstall/delete your running squid then, incl. cached files. (Remove the service and delete the package) Then ./configure #with old config-options make make install new squid, copy old squid.conf to /usr/local/squid/etc Copy saved /etc/init.d/squid back to /etc/init.d/squid And re-install service-squid -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/need-help-with-ubuntu-upgrade-procedure-tp4665324p4665326.html Sent from the Squid - Users mailing list archive at Nabble.com.