On 03/10/15 19:16, Amos Jeffries wrote:
> Anyhow, there have been long periods (12-18 months IIRC) where they
> were not trusted as a global CA. If your CA certificates set is from one
> of those periods your Squid will not be able to verify trust of the
> origin cert.
Should that show up in the
On 3/10/2015 7:08 a.m., Jason Haar wrote:
> On 02/10/15 23:43, Amos Jeffries wrote:
>> I'm suspecting the order of these options screws things up. Or maybe
>> just the use of "ALL". sslproxy_options NO_SSLv2:NO_SSLv3:ALL
>
> ...but I don't even use sslproxy_options There have been at least 3
Just a reminder people, but you've gone off-topic. The postbank.de
website issue has NOTHING to do with pining
Someone mentioned earlier it's due to the HTTPS cert not having a
complete cert-chain, and that web browsers auto-correct that situation,
but squid does not. So I would say either squid
On 2/10/2015 7:58 p.m., Jason Haar wrote:
> Just a reminder people, but you've gone off-topic. The postbank.de
> website issue has NOTHING to do with pining
>
> Someone mentioned earlier it's due to the HTTPS cert not having a
> complete cert-chain, and that web browsers auto-correct that
On 02/10/15 21:38, Amos Jeffries wrote:
> I'm not sure but a custom certificate validator helper can probably do
> all this better. An example helper in Perl can be found at
> helpers/ssl/cert_valid.pl
That website worked for me because my external validator had an
exception rule for valid certs
On 02/10/15 23:43, Amos Jeffries wrote:
> I'm suspecting the order of these options screws things up. Or maybe
> just the use of "ALL". sslproxy_options NO_SSLv2:NO_SSLv3:ALL
...but I don't even use sslproxy_options There have been at least 3
people saying that bump doesn't work with that
we wish that somebody can build a good fingerprinting algorithm for pinning
clients
Thank you Alex
--
View this message in context:
On 29/09/2015 5:20 p.m., Yuri Voinov wrote:
> Don't think so we can detect pinned apps automatically. You need find it
> manually this time AFAIK.
Correct. There is no way for Squid to know that some app running on a
separate client device, installed a random time earlier via another
network
i dont know, but if connection cant bump .. if connection cant established ,
then squid bypass this connection directly ...
this is how ...
--
View this message in context:
Its Okay,
i dont say that we want to bump pinned connection ,
why squid not automatically bypass pinned connection with out decryption ??
if this happen then all problems solved ..
--
View this message in context:
On 09/29/2015 05:02 PM, HackXBack wrote:
> i dont know, but if connection cant bump .. if connection cant established ,
> then squid bypass this connection directly ...
> this is how ...
The pinning client (not Squid!) decides that the [successfully bumped
from Squid point of view] connection is
On Tuesday 29 September 2015 at 23:50:15, HackXBack wrote:
> i dont say that we want to bump pinned connection ,
> why squid not automatically bypass pinned connection with out decryption ??
How can Squid know that the client is using pinning?
Antony.
--
BASIC is to computer languages what
On 09/29/2015 03:16 AM, Amos Jeffries wrote:
> On 29/09/2015 5:20 p.m., Yuri Voinov wrote:
>> Don't think so we can detect pinned apps automatically. You need find it
>> manually this time AFAIK.
> Correct. There is no way for Squid to know that some app running on a
> separate client device,
Don't think so we can detect pinned apps automatically. You need find it
manually this time AFAIK.
29.09.15 2:29, HackXBack пишет:
Yuri, Dear friend.
use splice HAA ? ok and how you cant detect automatically to make squid
splice the pinned app automatically ?
other wise , it is a real
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
I suggest, a good idea to bypass bankings around bump. As by as pinned
Apple apps.
In another word - use splice, Luke! ;)
28.09.15 20:43, HackXBack пишет:
> this happen with me on all apple applications, and to make them work fine you
> must
this happen with me on all apple applications, and to make them work fine you
must none bump for the ip's they used,
it is the same problem, same log output as yours.
Thanks.
--
View this message in context:
I increased the log level and performed a GET to https://banking.postbank.de/ ,
what I don't get is why squid start to generate a certificate for the ssl bump ?
cache.log
2015/09/28 14:25:28.964 kid1| 33,5| client_side.cc(4135) getSslContextStart:
Generating SSL certificate for
On 09/26/2015 03:03 PM, Dieter Bloms wrote:
Hallo Marcus,
On Thu, Sep 17, Marcus Kool wrote:
I just tried accessing https://banking.postbank.de/
using Squid 3.5.8 and Chrome.
I also got the ERR_CONNECTION_CLOSED error.
thank you for testing, so I think the fault is not my config.
May it
Hallo Marcus,
On Thu, Sep 17, Marcus Kool wrote:
> I just tried accessing https://banking.postbank.de/
> using Squid 3.5.8 and Chrome.
> I also got the ERR_CONNECTION_CLOSED error.
thank you for testing, so I think the fault is not my config.
May it be a bug in squid or openssl, or maybe the
Hello Amos,
thank you for your hints.
On Thu, Sep 17, Amos Jeffries wrote:
> > the relevant part ist:
> >
> > --snip--
> > acl nodecryptdomains dstdomain "/etc/squid/nodecrypt.domains"
> > http_port MYIP:8080 ssl-bump cert=/etc/squid/ca.pem key=/etc/squid/ca.key
> >
Hello Antony,
On Wed, Sep 16, Antony Stone wrote:
> On Wednesday 16 September 2015 at 15:39:35, Dieter Bloms wrote:
>
> > I did an upgrade of my squid from 3.4.13 to 3.5.8 and most sites are
> > accessible via HTTPS and sslbump enable.
> > But I can't get any access to the destination
> >
On 17/09/2015 3:16 a.m., Dieter Bloms wrote:
> Hello Antony,
>
>
> On Wed, Sep 16, Antony Stone wrote:
>
>> On Wednesday 16 September 2015 at 15:39:35, Dieter Bloms wrote:
>>
>>> I did an upgrade of my squid from 3.4.13 to 3.5.8 and most sites are
>>> accessible via HTTPS and sslbump enable.
22 matches
Mail list logo
