Re: [squid-users] Enable SSL bump

On 24/01/2017 3:38 p.m., Mustafa Mohammad wrote: > By regression...I mean our QA testing server. Let me explain this in > detail: I have a squid proxy running which is needed to connect to the > server so we can get back if the transaction was approved or not. It is a > point of sale application

Re: [squid-users] [3.5.23]: mozilla.org failed using SSL transparent SSL23_GET_SERVER_HELLO:unknown protocol

> On Mon, 2017-01-23 at 19:54 -0700, Alex Rousskov wrote: >> On 01/23/2017 04:28 PM, David Touzeau wrote: >>> >>> ssl_bump peek ssl_step1 >>> ssl_bump splice all >>> >>> sslproxy_flags DONT_VERIFY_PEER >>> sslproxy_cert_error allow all >> >>> >>> When connecting to mozilla.org using transparent,

Re: [squid-users] [3.5.23]: mozilla.org failed using SSL transparent SSL23_GET_SERVER_HELLO:unknown protocol

On Mon, 2017-01-23 at 19:54 -0700, Alex Rousskov wrote: > On 01/23/2017 04:28 PM, David Touzeau wrote: > > > > ssl_bump peek ssl_step1 > > ssl_bump splice all > > > > sslproxy_flags DONT_VERIFY_PEER > > sslproxy_cert_error allow all > > > > > When connecting to mozilla.org using transparent,

Re: [squid-users] [3.5.23]: mozilla.org failed using SSL transparent SSL23_GET_SERVER_HELLO:unknown protocol

On 01/23/2017 04:28 PM, David Touzeau wrote: > ssl_bump peek ssl_step1 > ssl_bump splice all > > sslproxy_flags DONT_VERIFY_PEER > sslproxy_cert_error allow all > When connecting to mozilla.org using transparent, we receive this error: > > * About to connect() to www.mozilla.org port 443 (#0)

Re: [squid-users] Enable SSL bump

[ Please reply to the list, not to me personally. ] On 24/01/2017 11:54 a.m., Mustafa Mohammad wrote: > I'm using 3.5.23 version. My problem is that I'm trying to hit our > regression server and after doing research, I found that SSL bump might > work for me but I'm not sure. We (the squid-users

Re: [squid-users] [3.5.23]: mozilla.org failed using SSL transparent SSL23_GET_SERVER_HELLO:unknown protocol

De : squid-users [mailto:squid-users-boun...@lists.squid-cache.org] De la part de Amos Jeffries Envoyé : mardi 24 janvier 2017 01:01 À : squid-users@lists.squid-cache.org Objet : Re: [squid-users] [3.5.23]: mozilla.org failed using SSL transparent SSL23_GET_SERVER_HELLO:unknown protocol On

[squid-users] BUG Notification. RE: Squid 3.5.23 is available - Article and new tools by NgTech

I didn't expected it but it happens to the best of us and the tools used the drbl-peer library that has a very huge memory leak that was found in a production environment(more then 10k queries per second). I fixed the library and I will publish the new and updated binaries for the squid

Re: [squid-users] [3.5.23]: mozilla.org failed using SSL transparent SSL23_GET_SERVER_HELLO:unknown protocol

On 24/01/2017 12:28 p.m., David Touzeau wrote: > Same issue with https://www.digitalocean.com/ > is somebody did not encounter the issue using Squid in transparent mode with > SSL ?? > The TLS / HTTP Senvironment is in the process of stabilizing, but still quite volatile. Since the error

Re: [squid-users] [3.5.23]: mozilla.org failed using SSL transparent SSL23_GET_SERVER_HELLO:unknown protocol

Same issue with https://www.digitalocean.com/ is somebody did not encounter the issue using Squid in transparent mode with SSL ?? -Message d'origine- De : squid-users [mailto:squid-users-boun...@lists.squid-cache.org] De la part de David Touzeau Envoyé : dimanche 22 janvier 2017 19:49

Re: [squid-users] Squid 4.x: Intermediate certificates downloader

On 24/01/2017 7:06 a.m., Marcus Kool wrote: > > > On 23/01/17 15:31, Alex Rousskov wrote: >> On 01/23/2017 04:28 AM, Yuri wrote: >> >>> 1. How does it work? >> >> My response below and the following commit message might answer some of >> your questions: >> >>

Re: [squid-users] Squid 4.x: Intermediate certificates downloader

On 24/01/2017 8:22 a.m., Yuri Voinov wrote: > > > 24.01.2017 0:06, Alex Rousskov пишет: >> On 01/23/2017 10:41 AM, Yuri Voinov wrote: >>> 23.01.2017 23:31, Alex Rousskov пишет: On 01/23/2017 04:28 AM, Yuri wrote: >> > 2. How this feature is related to

Re: [squid-users] Squid 3.x never_direct and DNS requests problem.

On 24/01/2017 3:58 a.m., FUSTE Emmanuel wrote: > > All was carefully checked and nothing in my configuration (acl etc ...) > explain why Squid insist to do DNS requests for requests forwarded to > the peer(s). > > > #bug #4575 > url_rewrite_extras XXX > store_id_extras XXX I dont think that

Re: [squid-users] Enable SSL bump

On 24/01/2017 11:27 a.m., Mustafa Mohammad wrote: > I'm trying to enable ssl bump but it says that > FATAL: No valid signing SSL certificate configured for HTTP_port [::]:the > port I'm listening on. I did a lot of research and I couldn't find the > answer. Any help would be deeply appreciated. >

[squid-users] Enable SSL bump

I'm trying to enable ssl bump but it says that FATAL: No valid signing SSL certificate configured for HTTP_port [::]:the port I'm listening on. I did a lot of research and I couldn't find the answer. Any help would be deeply appreciated. Thanks, Mustafa Mohammad

Re: [squid-users] Native FTP relay: connection closes (?) after 'cannot assign requested address' error

On 01/23/2017 12:18 PM, Alexander wrote: > 2017-01-23 21:41 GMT+03:00 Alex Rousskov: > It is possible that Squid needs a knob to handle your use > case differently. However, I am pretty sure that somebody does want > Squid to do what it does know so we should not change Squid behavior

Re: [squid-users] Squid 4.x: Intermediate certificates downloader

24.01.2017 2:25, Marcus Kool пишет: > > > On 23/01/17 17:23, Yuri Voinov wrote: > [snip] > >>> I created bug report http://bugs.squid-cache.org/show_bug.cgi?id=4659 >>> a week ago but there has not been any activity. >>> Is there someone who has sslproxy_foreign_intermediate_certs >>> working in

Re: [squid-users] Squid 4.x: Intermediate certificates downloader

On 23/01/17 17:23, Yuri Voinov wrote: [snip] I created bug report http://bugs.squid-cache.org/show_bug.cgi?id=4659 a week ago but there has not been any activity. Is there someone who has sslproxy_foreign_intermediate_certs working in Squid 4.0.17 ? Seems works as by as in 3.5.x. As I can

Re: [squid-users] Squid 4.x: Intermediate certificates downloader

24.01.2017 0:06, Marcus Kool пишет: > > > On 23/01/17 15:31, Alex Rousskov wrote: >> On 01/23/2017 04:28 AM, Yuri wrote: >> >>> 1. How does it work? >> >> My response below and the following commit message might answer some of >> your questions: >> >>

Re: [squid-users] Squid 4.x: Intermediate certificates downloader

24.01.2017 0:06, Alex Rousskov пишет: > On 01/23/2017 10:41 AM, Yuri Voinov wrote: >> 23.01.2017 23:31, Alex Rousskov пишет: >>> On 01/23/2017 04:28 AM, Yuri wrote: I.e., where downloaded certs stored, how it handles, does it saves anywhere to disk? >>> Missing certificates are fetched

Re: [squid-users] Native FTP relay: connection closes (?) after 'cannot assign requested address' error

2017-01-23 21:41 GMT+03:00 Alex Rousskov : > > Needless to say, your specific needs may differ from that general > principle. It is possible that Squid needs a knob to handle your use > case differently. However, I am pretty sure that somebody does want > Squid

Re: [squid-users] Native FTP relay: connection closes (?) after 'cannot assign requested address' error

On 01/23/2017 11:11 AM, Alexander wrote: > Actually, a PASV-handling logic looks a bit strange to me. In > Ftp::Server::handlePasvReply() there is a comment: > > "In interception setups, we combine remote server address with a local port > number and hope that traffic will be redirected to us." >

Re: [squid-users] Native FTP relay: connection closes (?) after 'cannot assign requested address' error

On 01/23/2017 03:11 AM, Alexander wrote: > 3. Squid opens a local port and sends it back to client via the "Entering > passive mode" reply. Seems to be ok, but a client sees a real server's IP > address, not a squid's one. So when a client tries to connect to a server, > it gets ECONNREFUSED

Re: [squid-users] Native FTP relay: connection closes (?) after 'cannot assign requested address' error

Actually, a PASV-handling logic looks a bit strange to me. In Ftp::Server::handlePasvReply() there is a comment: "In interception setups, we combine remote server address with a local port number and hope that traffic will be redirected to us." How is it supposed to work? A client receives

Re: [squid-users] Squid 4.x: Intermediate certificates downloader

On 01/23/2017 10:41 AM, Yuri Voinov wrote: > 23.01.2017 23:31, Alex Rousskov пишет: >> On 01/23/2017 04:28 AM, Yuri wrote: >>> I.e., where downloaded certs stored, how it >>> handles, does it saves anywhere to disk? >> Missing certificates are fetched using HTTP[S]. Certificate responses >>

Re: [squid-users] Squid 4.x: Intermediate certificates downloader

On 23/01/17 15:31, Alex Rousskov wrote: On 01/23/2017 04:28 AM, Yuri wrote: 1. How does it work? My response below and the following commit message might answer some of your questions: http://bazaar.launchpad.net/~squid/squid/5/revision/14769 This seems that the feature only goes to

Re: [squid-users] Squid 4.x: Intermediate certificates downloader

23.01.2017 23:31, Alex Rousskov пишет: > On 01/23/2017 04:28 AM, Yuri wrote: > >> 1. How does it work? > My response below and the following commit message might answer some of > your questions: > > http://bazaar.launchpad.net/~squid/squid/5/revision/14769 > >> I.e., where downloaded certs

Re: [squid-users] Squid 4.x: Intermediate certificates downloader

On 01/23/2017 04:28 AM, Yuri wrote: > 1. How does it work? My response below and the following commit message might answer some of your questions: http://bazaar.launchpad.net/~squid/squid/5/revision/14769 > I.e., where downloaded certs stored, how it > handles, does it saves anywhere to

[squid-users] Squid 3.x never_direct and DNS requests problem.

Hello, I'm in a context where I have a lot of Squid installation without direct internet access. All queries are forwarded to an Internet connected peer. Recently, I migrate my old 2.x Squid to 3.x and take responsibility for some other 3.x existing installations. - my Debian based Squid 3.4.8

[squid-users] Strange delays (30 seconds) with TLS connections in WCCP/Transparent mode

Hello all, I have a strange problem where some TLS connections are delayed by 30 seconds when going through my transparent proxy with WCCP. This occurs typically with sites behind Cloudflare (for example, https://www.wireshark.org). No problem for Google websites for example. I only want to

[squid-users] Squid 4.x: Intermediate certificates downloader

Hi, gents. I have some stupid questions about subject. 1. How does it work? I.e., where downloaded certs stored, how it handles, does it saves anywhere to disk? Because of this feature is completely undocumented and it did not follow from the source code. 2. How this feature is related to

Re: [squid-users] Native FTP relay: connection closes (?) after 'cannot assign requested address' error

Just tried it out with REDIRECT rule. Still no luck, but now Filezilla client reports ECONNREFUSED error. I do not see any critical errors in squid's output, however the following thing is suspicious: 2017/01/20 19:10:11.604| 33,3| FtpServer.cc(1655) checkDataConnPost: missing client data conn: