Re: [squid-users] correct regular expression to use to capture all

On 08.07.2023 14:07, robert k Wild wrote: True but I don't want to create two ACL lists, one for "ssl name" and one for "ssl name regex" If I were you, I would create two ACL lists, because the one without regex as already mentioned needs less resources - CPU, memory - and can have more

[squid-users] Squid 4.11, Almalinux 8.4 (RHEL 8.4 based) - user defined directory for certificate cache?

Hello, this sudo -u squid /usr/lib64/squid/security_file_certgen -c -s /var/local/squid/ssl_db -M 4MB gives the error /usr/lib64/squid/security_file_certgen: Cannot create /var/local/squid/ssl_db but this sudo -u squid /usr/lib64/squid/security_file_certgen -c -s /var/spool/squid/ssl_db

Re: [squid-users] a specific host generates a 503 ...

On 15.03.2021 10:14, Matus UHLAR - fantomas wrote: On 12/03/21 1:14 am, Eliezer Croitoru wrote: It's sitting behind:  DDoS protection by Cloudflare So it makes sense that you would not be able to download it using wget. The only option probably is using a web browser. I would suggest

Re: [squid-users] a specific host generates a 503 ...

On 11.03.2021 15:33, Amos Jeffries wrote: On 12/03/21 1:14 am, Eliezer Croitoru wrote: Hey Walter, It's sitting behind:  DDoS protection by Cloudflare So it makes sense that you would not be able to download it using wget. The only option probably is using a web browser. I would suggest

[squid-users] a specific host generates a 503 ...

Hello, can someone test the following URL http://db.local.clamav.net/daily-26102.cdiff e.g.   wget http://db.local.clamav.net/daily-26102.cdiff I have an older squid (v3.1) there this works, but with the newer ones (v3.4 and v3.5) this doesn't; is there an explanation why? the log shows

Re: [squid-users] wiki.squid-cache.org has invalid SSL certificate

On 23.01.2021 13:07, Matus UHLAR - fantomas wrote: On 22.01.21 15:32, Alex Rousskov wrote: On 1/22/21 3:10 PM, Walter H. wrote: https://www.ssllabs.com/ssltest/analyze.html?d=wiki.squid-cache.org there is an invalid certificate as the intermediate FWIW, I see nothing marked as "in

[squid-users] wiki.squid-cache.org has invalid SSL certificate

Hello, look here https://www.ssllabs.com/ssltest/analyze.html?d=wiki.squid-cache.org there is an invalid certificate as the intermediate Walter smime.p7s Description: S/MIME Cryptographic Signature ___ squid-users mailing list

Re: [squid-users] distinguish between IPv4 and IPv6

. Eliezer Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1...@gmail.com <mailto:ngtech1...@gmail.com> Zoom: Coming soon *From:* squid-users *On Behalf Of *?Amos Jeffries? *Sent:* Monday, January 11, 2021 10:10 PM *To:* Walter H. ; squid-users@lists

[squid-users] distinguish between IPv4 and IPv6

Hello, is there a way, that I can do something like if ( dst is IPv4 ) go direct if ( dst is IPv6 ) use parent proxy xxx The reason for my question, I'm using a IPv6-in-IPv4 tunnel, and it would make sense to forward all traffic going to IPv6 to squid running on tunnel end; Thanks, Walter

Re: [squid-users] Cannot access web servers with a specific browser

On 14.09.2020 14:50, Vieri wrote: Hi, Before digging into the whole squid configuration, I'd like to know what the following line means: NONE_ABORTED/200 0 CONNECT 216.58.211.36:443 - HIER_NONE/- - I get this when trying to access a web page with a specific browser (Google Chrome).

Re: [squid-users] Gateway Proxy failure - but only with one browser ...

and squid is different from the one between squid and server; how can there be a SSL handshake problem between squid and server when using an old browser? On 29.04.2020 19:26, Walter H. wrote: I have two squids, one does SSL bump (3.5latest CentOS 6) the other doesn't SSL bump (3.4latest CentOS

[squid-users] Gateway Proxy failure - but only with one browser ...

I have two squids, one does SSL bump (3.5latest CentOS 6) the other doesn't SSL bump (3.4latest CentOS 6) everything works, I have a site that uses SSL/TLS, and two different browsers (one in a VM with old windows), when I use the squid without SSL bump, the site works with both browsers,

Re: [squid-users] several sites - cloudflare not working with ssl-bump ...

On Tue, February 25, 2020 06:30, Amos Jeffries wrote: > On 25/02/20 5:00 am, Walter H. wrote: >> Hello, >> >> can someone explain, why >> sites as https://dnslytics.com/ >> do not work any more if 'server-first', >> they only work with 'client-first' why?

[squid-users] several sites - cloudflare not working with ssl-bump ...

Hello, can someone explain, why sites as https://dnslytics.com/ do not work any more if 'server-first', they only work with 'client-first' why? Thanks, Walter smime.p7s Description: S/MIME Cryptographic Signature ___ squid-users mailing list

[squid-users] difference of settings doing the same as it seems

Hello, I found out something strange acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 acl nobumpsites ssl::server_name "/etc/squid/sslnobumpsites-acl.squid" # I had these 3 settings - most worked, but only a few hosted at cloudflare worked: problems with SNI

Re: [squid-users] ssl bump intermediate certificate

On 30.10.2019 05:59, Marek Greško wrote: Hello, I am trying to configure ssl bumping on squid 4.8 but my browser is not able to validate the certificate due to intermediate certificate missing. How could I convince squid to send it? Thanks Marek the ssl-bum certificate is either a root

Re: [squid-users] SQUID_ERR_SSL_HANDSHAKE

Hello Amos, On 29.06.2019 14:13, Amos Jeffries wrote: That is a good sign. That exact combo is in the set supported by the breaking server so it is unlikely your Squid or its OpenSSL is contributing to this particular problem. quite strange only a few sites don't work, https://www.3bg.at is

Re: [squid-users] SQUID_ERR_SSL_HANDSHAKE

On 29.06.2019 10:17, Amos Jeffries wrote: On 29/06/19 3:03 am, Walter H. wrote: sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+SSLv3:!3DES:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!RSA:!SRP

Re: [squid-users] SQUID_ERR_SSL_HANDSHAKE

ong ago i seen a site good configured for ones with its TLS settings. So most probely, your downgrading the connection within the proxy settings to sslv3 And sharing you config might help to see that. Greetz, Louis *Van:* squid-users [mailto:squid-users-boun...@lists.squid-ca

[squid-users] SQUID_ERR_SSL_HANDSHAKE

Hello, at some specific hosts this is shown in cache.log 2019/06/28 16:11:12 kid1| Error negotiating SSL on FD 17: error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message (1/-1/0) and this is the error page I get Failed to establish a secure connection to .../ (71) Protocol error

[squid-users] strange thing in the squid logs ...

Hello, in iptables I have this: *nat ... -A PREROUTING -i br0 -p tcp -s 192.168.1.100 --dport 80 -j DNAT --to-destination 192.168.1.1:3129 192.168.1.100 is my PC and 192.168.1.1 is my NAT-Router, that has squid, ... running here the log 192.168.1.100 - - [05/Feb/2019:20:57:09 +0100]

[squid-users] Message with SSL-bump with a specific site ...

Hello, can some explain what is causing this message While trying to retrieve the URL: https://www.3bg.at/* The following error was encountered: * *Failed to establish a secure connection to 193.138.123.75 * The system returned: /(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)/

[squid-users] Error Message alert handshake failure

Hello, what does this message 2018/08/29 16:11:28 kid1| Error negotiating SSL on FD 22: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0) in cache.log mean? Thanks, Walter smime.p7s Description: S/MIME Cryptographic Signature

Re: [squid-users] [squid-announce] Squid 4.2 is available

On 10.08.2018 07:41, Amos Jeffries wrote: The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-4.2 release! will there be a RPM for latest CentOS 6 available? Walter smime.p7s Description: S/MIME Cryptographic Signature

Re: [squid-users] block visit 80/443 browsing via IP(no domain name)

On 29.07.2018 06:11, Gordon Hsiao wrote: is there a way to block any attempt to visit http/https by _any_ IP directly, i.e. http://my-IP or https://my-IP (yes this will give a warning for SSL most likely). here my-IP could be any IPv4 address, for example. Basically I want to have Squid to

Re: [squid-users] Wpad problem (DNS)

On 26.07.2018 17:32, erdosain9 wrote: Hi, thanks I try Explorer 8.0 and Chrome 68.0... this can be deactivated on browser side; then wpad is for the cats ... Walter smime.p7s Description: S/MIME Cryptographic Signature ___ squid-users mailing

Re: [squid-users] Chrome 67 Issue with SSL Bump

On 26.06.2018 19:03, Amit pasari wrote: Dear Walter I have tried with both SHA1 and SHA256 cert . Sent from my iPhone On Jun 26, 2018, at 9:43 PM, Walter H. <mailto:walte...@mathemainzel.info>> wrote: On 26.06.2018 17:22, Amit Pasari - XS INFOSOL Inc. USA wrote: I am us

Re: [squid-users] Chrome 67 Issue with SSL Bump

On 26.06.2018 17:22, Amit Pasari - XS INFOSOL Inc. USA wrote: I am using squid in transparent mode . Everything working fine in Firefox and IE after i have imported the certificate in both the browser , but in Chrome 67 version on Windows 10 i am facing the below issue

Re: [squid-users] SSL errors with Squid 3.5.27

On 10.06.2018 08:49, Amos Jeffries wrote: Interesting. The main issue was that you configured only params for the Diffi-Helman (DH and DHE) ciphers - no curve name. That meant your specified EEC* ciphers were disabled since they require a curve name as well. Removing this option completely

Re: [squid-users] Google analytics screwing up a lot of sites?

Hello On 26.03.2018 21:27, Bob Cochran wrote: We use squid 3.5.20 and a custom content filter to block undesirable (tracking) sites (e.g., google-analytics.com). get 3.5.27 ... It seems that Google's JavaScript ( or missing scripts ) is rendering various modal / dialog boxes useless

Re: [squid-users] https://wiki.squid-cache.org provides invalid certificate chain ...

On 18.11.2017 13:51, Walter H. wrote: Hello, still certificate issues: missing intermediate certificate Greetings, Walter @Amos: There is *no* chain. Our cert is directly signed by the LetsEncrypt CA. Amos that's wrong; LetsEncrypt is only an intermediate, and MUST be given

Re: [squid-users] https://wiki.squid-cache.org provides invalid certificate chain ...

Hello, still certificate issues: missing intermediate certificate Greetings, Walter On 17.11.2017 13:39, Walter H. wrote: for more information see https://www.ssllabs.com/ssltest/analyze.html?d=wiki.squid-cache.org - missing intermediate certificate - ssl3 active, poodle vulnerable

[squid-users] https://wiki.squid-cache.org provides invalid certificate chain ...

for more information see https://www.ssllabs.com/ssltest/analyze.html?d=wiki.squid-cache.org - missing intermediate certificate - ssl3 active, poodle vulnerable ... Greetings, Walter smime.p7s Description: S/MIME Cryptographic Signature ___

Re: [squid-users] IPv6 and TPROXY

tech.co.il -Original Message----- From: Walter H. [mailto:walte...@mathemainzel.info] Sent: Saturday, August 19, 2017 23:23 To: Eliezer Croitoru<elie...@ngtech.co.il> Cc: squid-users@lists.squid-cache.org Subject: Re: [squid-users] IPv6 and TPROXY Hello, not really, I must live with the fa

Re: [squid-users] Squid IPv4:port to IPv6

On 19.08.2017 04:03, davidjesse...@aol.com wrote: I'm trying to connect to Squid with one IPv4 IP and based on the port I'm connecting with, I want Squid to use a different IPv6 IP for the connection. Below is my config file |acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port

Re: [squid-users] IPv6 and TPROXY

onnections, would it be possible? Would the usage of: http://www.squid-cache.org/Doc/config/tcp_outgoing_address/ override the tproxy function? Eliezer Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il -Original Message----- From

Re: [squid-users] IPv6 and TPROXY

Thanks, Walter On 12.08.2017 20:23, Eliezer Croitoru wrote: Any progress with this issue? Eliezer Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il -Original Message----- From: Walter H. [mailto:walte...@mathemainzel.info] Sent: Thursday, Au

Re: [squid-users] IPv6 and TPROXY

e and maybe > sysctl will help to reveal couple things about the subject. > > All The Bests, > Eliezer > > > Eliezer Croitoru > Linux System Administrator > Mobile: +972-5-28704261 > Email: elie...@ngtech.co.il > > > > -Original Message- > F

Re: [squid-users] IPv6 and TPROXY

liezer Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il -Original Message- From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Walter H. Sent: Tuesday, August 8, 2017 17:15 To: squid-users@lists.squid-cache

[squid-users] wiki.squid-cache.org SSL configuration problem ...

Hello, the intermediate certificate which is provided doen't go with the end entitiy certificate ... the intermediate that is provided: Let's Encrypt Authority X1 the intermediate that should be provided: Let's Encrypt Authority X3 for more see:

[squid-users] IPv6 and TPROXY

Hello, I did at the ip6tables like this: https://wiki.squid-cache.org/Features/Tproxy4#iptables_on_a_Router_device iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -i br0 -p tcp -m socket -j

Re: [squid-users] This list generates a forward loop ...

On 20.07.2017 05:35, Walter H. wrote: On 19.07.2017 08:54, Amos Jeffries wrote: On 19/07/17 01:42, Walter H. wrote: <squid-us...@squid-cache.org> (expanded from <squid-users@lists.squid-cache.org>): mail forwarding loop for squid-us...@squid-cache.org Why? You

Re: [squid-users] This list generates a forward loop ...

On 19.07.2017 08:54, Amos Jeffries wrote: On 19/07/17 01:42, Walter H. wrote: <squid-us...@squid-cache.org> (expanded from <squid-users@lists.squid-cache.org>): mail forwarding loop for squid-us...@squid-cache.org Why? You sent a mail to the address squid-users

Re: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

l: elie...@ngtech.co.il -Original Message- From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Walter H. Sent: Tuesday, July 18, 2017 15:29 To: squid-users@lists.squid-cache.org Subject: [squid-users] Packets logged as blocked even Firewall (IPtables) acce

Re: [squid-users] Squid Version 3.5.20 Any Ideas

Hello, this seems not to be the problem, as the error messages are in cache.log, which is not a browser problem ... the question: are the SSL bumped sites in intranet, which use a self signed CA cert itself, which squid doesn't know? On 19.07.2017 17:36, Yuri wrote:

Re: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

On Wed, July 19, 2017 11:31, Antony Stone wrote: > On Wednesday 19 July 2017 at 10:16:30, Walter H. wrote: > >> I added these rules, and will see which packets are caught >> >> -A INPUT -m state --state INVALID -j LOG --log-prefix "IP[IN(invalid)]: >> "

Re: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

On Wed, July 19, 2017 03:21, Amos Jeffries wrote: > On 19/07/17 01:37, Walter H. wrote: >> On Tue, July 18, 2017 15:28, Matus UHLAR - fantomas wrote: >>> On 18.07.17 14:29, Walter H. wrote: >>>> -A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT >>

[squid-users] This list generates a forward loop ...

Hello, On every post I get an error mail back: Subject:Undelivered Mail Returned to Sender From: "Mail Delivery System" Date: Tue, July 18, 2017 15:36 To: ... Priority: Normal This is the mail system at host

Re: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

On Tue, July 18, 2017 15:28, Matus UHLAR - fantomas wrote: > On 18.07.17 14:29, Walter H. wrote: >>-A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT > >>-A INPUT -i br0 -m tcp -p tcp --dport 3128 -m state --state NEW -j ACCEPT > >>-A INPUT -j LOG --log-pref

[squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

Hello, my Router Box runs a CentOS 6, with the EPEL squid34 RPM package this the iptables *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] # Allow multicast -A INPUT -d 224.0.0.0/4 -j ACCEPT -A OUTPUT -d 224.0.0.0/4 -j ACCEPT # Allow anything on the local link -A INPUT -i lo

Re: [squid-users] CentOS6 and squid34 package ...

5/2017 14:07 PM, Walter H. wrote: On 25.05.2017 12:50, Amos Jeffries wrote: On 25/05/17 20:19, Walter H. wrote: Hello what is the essential difference between the default squid package and this squid34 package, as I have problems using this squid34 package for FTP connections; there are no

Re: [squid-users] CentOS6 and squid34 package ...

On 25.05.2017 21:51, Mike wrote: Walter, what I've found is when compiling to squid 3.5.x and higher, the compile options change. Also remember that many of the options that were available with 3.1.x are depreciated and likely will not work with 3.4.x and higher. the compile options are not

Re: [squid-users] CentOS6 and squid34 package ...

On 25.05.2017 12:50, Amos Jeffries wrote: On 25/05/17 20:19, Walter H. wrote: Hello what is the essential difference between the default squid package and this squid34 package, Run "squid -v" to find out if there are any build options different. Usually its just two alternativ

Re: [squid-users] Logs from traffic that don't belong to either whitelist or blacklist

On 25.05.2017 11:25, Amos Jeffries wrote: On 25/05/17 19:51, Miguel Barbero wrote: Good morning, We have a special requirement and we are not sure whether it's possible to accomplish. We have defined a whitelist and a blacklist on our Squid. Its behaviour is as usual and how it could

Re: [squid-users] Logs from traffic that don't belong to either whitelist or blacklist

On 25.05.2017 09:51, Miguel Barbero wrote: Good morning, We have a special requirement and we are not sure whether it's possible to accomplish. We have defined a whitelist and a blacklist on our Squid. Its behaviour is as usual and how it could expect. All the traffic less blacklist is

[squid-users] CentOS6 and squid34 package ...

Hello what is the essential difference between the default squid package and this squid34 package, as I have problems using this squid34 package for FTP connections; there are no shown icons, when going to e.g. ftp://ftp.adobe.com/ when I tell the browser to show the image then I get this

Re: [squid-users] Squid custom error page

On 18.05.2017 19:40, chcs wrote: One more cuestion: With 2 CA differents certificates to block twitter.com>> differents results Issuer: self-signed0 10.0.0.100 TAG_NONE/403 4709 GET https://www.twitter.com/ - HIER_NONE/- text/html Result: no problem, it's show me squid custom error page

[squid-users] list generates error messages ...

whenever I send a mail to the list, I get such an error message back from mailer-dae...@squid-cache.org This is the mail system at host lists.squid-cache.org. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further

Re: [squid-users] Squid custom error page

On 17.05.2017 16:04, Amos Jeffries wrote: On 17/05/17 23:32, chcs wrote: Expected Results: Display proxy server error page with deny info. This is a well-known problem with Browsers, they all refuse to display any response to a CONNECT tunnel message.

Re: [squid-users] Squid + IPv6

On 16.05.2017 21:21, IAPS Security Services, Ltd. wrote: How can I compile squid for windows to get around the 128 ip limit imposed? have you ever tried to give each network interface more than 128 IP addresses at a time? smime.p7s Description: S/MIME Cryptographic Signature

[squid-users] Object Size?

Hello, the setting maximum_object_size 4 MB is the default; would the following setting maximum_object_size 2 MB also mean, that there would be stored much more objects on disk? Thanks Walter ___ squid-users mailing list

Re: [squid-users] Hint for howto wanted ...

On Tue, November 29, 2016 03:59, Amos Jeffries wrote: > On 29/11/2016 7:49 a.m., Walter H. wrote: >> Hey, >> >> On 28.11.2016 14:51, Eliezer Croitoru wrote: >>> Now to me the picture is much clear technically. >>> As Amos suggested fix the first proxy(and

Re: [squid-users] Hint for howto wanted ...

Hello, On Mon, November 28, 2016 22:45, Eliezer Croitoru wrote: > So much clear now to a solution. > If you don’t know what Policy Based Routing and you have a bunch of VM's and you are configuring the proxy in the browser manually you just need to install on the first proxy 3.5.22 that allows

Re: [squid-users] Hint for howto wanted ...

Hey, On 28.11.2016 14:51, Eliezer Croitoru wrote: Now to me the picture is much clear technically. As Amos suggested fix the first proxy(and I am adding choose how to approach) and then move on to the next ones. why fix the first proxy, I wouldn't need it, if ssl-bump plus parent proxy (the

Re: [squid-users] Hint for howto wanted ...

the client machine(3.1.X)? > > All the above matters to understand how to offer the right solution. > > Eliezer > > > Eliezer Croitoru > Linux System Administrator > Mobile: +972-5-28704261 > Email: elie...@ngtech.co.il > > > -Original Message- > Fr

Re: [squid-users] Hint for howto wanted ...

On Mon, November 28, 2016 06:56, Eliezer Croitoru wrote: > OK so the next step is: > Routing over tunnel to the other proxy and on it(which has ssl-bump) > intercept. by now only the 3.5.20 squid on the local VM does SSL-bump > If you have a public on the remote proxies which can use ssl-bump

Re: [squid-users] Hint for howto wanted ...

-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Walter H. Sent: Sunday, November 27, 2016 19:17 To: squid-users@lists.squid-cache.org Subject: [squid-users] Hint for howto wanted ... Hello, I've got a special problem ... I have several devices in my LAN: - PCs, Notebooks - a Tab

[squid-users] Hint for howto wanted ...

Hello, I've got a special problem ... I have several devices in my LAN: - PCs, Notebooks - a Tablet-PC - a Smartphone - a Television on my LAN I've two squids as VMs on my PC (both are CentOS 6) I also have a virtual server (a CentOS 6, too) at a webhoster in a different country, which I

[squid-users] CentOS 6, Squid 3.5.20, Error message in /var/log/squid/cache.log

Hello, can someone tell me, especially the maintainer of the binary packages for CentOS what this message 2016/11/23 19:08:58 kid1| Error negotiating SSL on FD 39: error::lib(0):func(0):reason(0) (5/0/0) should say to me ... Thanks, Walter smime.p7s Description: S/MIME

Re: [squid-users] CentOS 6.x and SELinux enforcing with Squid 3.5.x (thanks to Eliezer Croitoru for the RPM)

On Tue, October 18, 2016 13:31, Garri Djavadyan wrote: > On Tue, 2016-10-18 at 13:02 +0200, Walter H. wrote: >> Hello, >> >> just in case anybody wants to run Squid 3.5.x on CentOS >> with SELinux enforcing, >> >> here is the semodule >>

[squid-users] Ciphersuites with SSL bump [squid 3.5.19]

Hello, I'd like to disable some ciphersuites when connecting with web servers; when I go there: https://cc.dcsec.uni-hannover.de/ I'm shown this (only the column with ciphersuite names): ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA384

[squid-users] SSL-Bump and generated certificates ...

Hello, I updated squid 3.4.10 to 3.5.19 on my CentOS VM, I noticed that the generated certificates are now SHA2 and not SHA1, can I influence somewhere to generate still SHA1 certificates? (I have devices which use this proxy and are not able to handle SHA2) Thanks, Walter smime.p7s

Re: [squid-users] Regular expressions with dstdom_regex ACL

On Fri, May 13, 2016 07:32, Amos Jeffries wrote: > On 13/05/2016 3:44 p.m., Walter H. wrote: >> p.s. >> the sample here >> http://wiki.squid-cache.org/ConfigExamples/Chat/Skype >> doesn't work, too >> > > The skype pattern is matching the port Skype uses.

Re: [squid-users] Regular expressions with dstdom_regex ACL

On 12.05.2016 22:20, Walter H. wrote: Hello, can someone please tell me how I can achive this? the result should be that any URL like this http(s)://ip-address/ should be blocked by the specified error page Thanks and Greetings from Austria, Walter p.s. the sample here http://wiki.squid

[squid-users] Regular expressions with dstdom_regex ACL

Hello, can someone please tell me which regular expression(s) would really block domains which are IP hosts for IPv4 this is my regexp: ^[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}$ and this works as expected acl block_domains_iphost dstdom_regex

[squid-users] DNS-Errors ... squid-cache.org

Hello, has anybody an idea where this errors come from, or what is causing them? May 10 11:21:00 lxwaldivm-001 named[30098]: error (unexpected RCODE REFUSED) resolving 'lists.squid-cache.org/MX/IN': 173.255.241.90#53 May 10 11:21:01 lxwaldivm-001 named[30098]: error (connection refused)

Re: [squid-users] How to suppress SQUID_X509_V_ERR_DOMAIN_MISMATCH error for known domains?

On 26.03.2016 11:53, Yuri Voinov wrote: Look at this, gents. http://i.imgur.com/kxrOEVd.png can you give me the complete URL just for testing purpose; https://download.microsoft.com/ does a forward to https://www.microsoft.com/en-us/download which squid version is in use? smime.p7s

[squid-users] SSL-bump and Ciphersuite?

Hello, I'd restrict the client by using a less resource consuming TLS encryption; I though doing just this e.g. http_port 3128 ... cipher=3DES ... (for restricting clients connecting to 3DES) or what would be less resource consuming? AES128? but where can I see, which ciphersuite is really

Re: [squid-users] SSL-bump and Ciphersuite?

Hello Amos, On Mon, January 11, 2016 11:13, Amos Jeffries wrote: > On 11/01/2016 10:50 p.m., Walter H. wrote: >> Hello, >> >> I'd restrict the client by using a less resource consuming TLS >> encryption; >> >> I though doing just this >&

Re: [squid-users] Using subordinate CA for SSL Bump

On 14.12.2015 22:26, Yuri Voinov wrote: Hi all. Does anybody can tell me - is it possible to use subordinate secondary CA in squid for SSL Bumping purpose? this is possible; I had this for several months this way; I.e., we have self-signed primary CA for issue subordinate CA, subordinate CA

Re: [squid-users] Using subordinate CA for SSL Bump

On 17.12.2015 18:01, Alex Rousskov wrote: On 12/17/2015 03:12 AM, Yuri Voinov wrote: This looks like. Root CA doesn't send. Subordinate CA uses as signer for mimicked. All and any clients got security alert. There may still be some terminology misunderstanding here because not sending the

Re: [squid-users] http request header must use hostname

On 07.12.2015 08:49, Amos Jeffries wrote: On 7/12/2015 5:41 p.m., Walter H. wrote: On 07.12.2015 00:21, Amos Jeffries wrote: Getting complicated... So xxiao8, why does one want to censor these requests anyway? Amos try to connect natively with the IP-Address instead of the hostname

Re: [squid-users] http request header must use hostname

On 07.12.2015 00:21, Amos Jeffries wrote: Getting complicated... So xxiao8, why does one want to censor these requests anyway? Amos try to connect natively with the IP-Address instead of the hostname ... the SSL certificate of the host itself prevents the connection without message in the

Re: [squid-users] Block google pictures

use SSL bump and block URLs and/or URL-paths On 26.11.2015 15:27, Funke, Martin wrote: Im using squid + squid guard in a primary school and sometimes the primary-school pupil search for penis and things like that :). That’s why I need a way to stop them doing these things. smime.p7s

Re: [squid-users] sslBump adventures in enterprise production environment

On 13.11.2015 14:53, Yuri Voinov wrote: There is no solution for ICQ with Squid now. You can only bypass proxying for ICQ clients. from where do the ICQ clients get the trusted root certificates? maybe this is the problem, that e.g. the squid CA cert is only installed in FF and nowhere else

Re: [squid-users] ssl bump and url_rewrite_program (like squidguard)

On 05.11.2015 04:26, Amos Jeffries wrote: There was a bug about the wrong SNI being sent to servers on bumped traffic that got re-written. That got fixed in Squid-3.5.7 and re-writers should have been fully working since then. This seems to be a bug in 3.5.x only with 3.4.10 this works fine

Re: [squid-users] Ssl-Bump and revoked server certificates

On 19.10.2015 01:01, Amos Jeffries wrote: If you are interested in getting this helper bundled with Squid No; the details on how to prepare and submit a patch to squid-dev mailing list are at: The style guide-line is not compatible with mine

Re: [squid-users] Ssl-Bump and revoked server certificates

it was just the solution I did for myself, and brought it to the "public" AS IS. On 21.10.2015 00:53, Brett Lymn wrote: On Tue, Oct 20, 2015 at 12:45:57PM +0200, Walter H. wrote: The style guide-line is not compatible with mine (space - tab); which can be fixed mostly b

Re: [squid-users] Ssl-Bump and revoked server certificates

On 04.10.2015 21:08, Walter H. wrote: Hello, does anybody know if squid does certificate checks and how to tell squid to do so; this is a site with a revoked certificate https://revoked.grc.com/ without squid, the browser shows that the certificate is revoked and doesn't show the page

Re: [squid-users] Ssl-Bump and revoked server certificates

On 07.10.2015 11:05, Amos Jeffries wrote: On 7/10/2015 4:27 a.m., Alex Rousskov wrote: On 10/06/2015 01:27 AM, Jason Haar wrote: Good catch - I don't think squid does CRL/OCSP checks But this is a bug in squid - this means untrustworthy certs become trusted again - not a good look IIRC,

Re: [squid-users] Ssl-Bump and revoked server certificates

On 07.10.2015 16:48, Amos Jeffries wrote: or sslcrtvalidator_program cache=8192 ttl=240 /usr/lib64/squid/cert_valid.pl sslcrtvalidator_children 12 startup=5 idle=1 concurrency=1 can I have a working sample of valid_cert.pl that results in an "access denied" or any other error page of squid?

Re: [squid-users] Ssl-Bump and revoked server certificates

Hello, can you please provide an example of how to use this in squid.conf by the way how would I use these sslcrtvalidator_program and sslcrtvalidator_children Thanks, Walter On Tue, October 6, 2015 09:27, Jason Haar wrote: > Good catch - I don't think squid does CRL/OCSP checks > > I'm using

[squid-users] Possible Bug in squid? [Fwd: Re: [openssl-users] Problem checking certificate with OCSP]

ephen Henson" <st...@openssl.org> Date:Mon, October 5, 2015 17:11 To: openssl-us...@openssl.org -- On Mon, Oct 05, 2015, Walter H. wrote: > Hello, > > attached is the certificate and its chain of

Re: [squid-users] Ssl-Bump and revoked server certificates

On 04.10.2015 21:08, Walter H. wrote: Hello, does anybody know if squid does certificate checks and how to tell squid to do so; this is a site with a revoked certificate https://revoked.grc.com/ without squid, the browser shows that the certificate is revoked and doesn't show the page

[squid-users] Ssl-Bump and revoked server certificates

Hello, does anybody know if squid does certificate checks and how to tell squid to do so; this is a site with a revoked certificate https://revoked.grc.com/ without squid, the browser shows that the certificate is revoked and doesn't show the page with squid, the page is shown ... Thanks,

Re: [squid-users] Squid 3.5.9 RPM are available

Hello, can you do a little test for me? can you please try the following acl acl block_as4837 dst_as 4837 http_access deny block_as4837 and then try in a browser http://sudo.ml Thanks, Walter On 30.09.2015 18:45, Veiko Kukk wrote: On 30/09/15 18:27, Veiko Kukk wrote: I'm sorry, should

[squid-users] SSL-bump and Public Key Piinning (HPKP)

Hello, I'm using squid with ssl-bump, after updating (I update only in bigger steps and not this often) my browser I realize, that this supports HPKP; I didn't find how to deactivate this - Chrome 43 so I thought, I could prevent squid of replying this header field with this:

[squid-users] Correct Syntax for ACL?

Hello, would this be the correct syntax: acl crl-file url_regex -i \.crl$ or need it to be acl crl-file url_regex -i \.crl$ how does squid distinquish between a file containing rules e.g. acl acl-file url_regex -i /etc/url-acl.squid or the rule itself e.g. acl acl-rule url_regex -i \.exe$

Re: [squid-users] IPv6 and syntax?

On 16.05.2015 01:41, Amos Jeffries wrote: On 16/05/2015 6:14 a.m., Walter H. wrote: Hello, is IPv6 somewhat similar to IPv4? Somewhat, yes. I just wondered because of the different behaviour; e.g. I would write acl block_ipv4_range dst 84.84.84.0/24 deny_info errorpage block_ipv4_range

[squid-users] IPv6 and syntax?

Hello, is IPv6 somewhat similar to IPv4? e.g. I would write acl block_ipv4_range dst 84.84.84.0/24 deny_info errorpage block_ipv4_range http_access deny block_ipv4_range to block any hosts within this IPv4 range how would be the syntax for blocking any hosts within a specific IPv6 subnet

  1   2   >