Re: [squid-users] Transparent Proxy - Windows Update - 0x80072F8F

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 12 Jun 2009 03:50:11 +1200

Steven.Glogger_at_swisscom.com wrote:
> hi all
>
> i've tried to google around for this topic and to search the archives
> the last 2 hours, but it seemes, i'm not able to solve the problem.
>
> my issue is this: i'm using a transparent proxy (squid 3.0) to
> regulate internet access. my server (freebsd 7.2) is forwarding all
> http AND https traffic to a squid (compiled with transparent option),
> but using ipfw: add 15000 fwd 127.0.0.1,3128 tcp from table(10) to
> any 80,8080 recv xl0 keep-state add 15001 fwd 127.0.0.1,3129 tcp from
> table(10) to any 443 recv xl0 keep-state
>
> squid is listening on 3128 for http and 3129 for https.
>
> this works perfect and my users can surf normally the internet, also
> websites with SSL are working (getting an error of the SSL, because
> the certificate does not really matches. but anyway.
>
> i've atteched my squid.conf for reference.
>
> but anyway, testing apple updates -> no problem. trying to update
> windows -> error.
>
> i get error 0x80072F8F complaining about the date/time of the update
> certificate.
>
> is there a way to solve my problems? i've tried using no-cache,
> allow_direct, etc.. and I failed.
>
> -steven

Welcome to the world of security protection against man-in-middle
attacks (the correct name for 'transparent' interception proxy mode).

Windows Update requires a HTTPS authentication request to succeed before
it will update. The authenticator unconditionally verifies the security
certificates as all good browsers and web clients should also be doing.

... catch my drift?

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
   Current Beta Squid 3.1.0.8 or 3.0.STABLE16-RC1
Received on Thu Jun 11 2009 - 15:50:18 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 11 2009 - 12:00:03 MDT