RE: [squid-users] sslbump and always_direct

From: Ming Fu <Ming.Fu_at_watchguard.com>
Date: Fri, 28 Jan 2011 13:29:14 +0000

Did some tcpdump between the squid and its parent proxy, saw many connection on port 443 were sent in clear. So sslbump + parent proxy is not advisable for now.

Ming

-----Original Message-----
From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Sent: January-27-11 11:59 AM
To: squid-users_at_squid-cache.org
Subject: Re: [squid-users] sslbump and always_direct

On 28/01/11 01:53, Ming Fu wrote:
> Hi Amos,
>
> Does this mean if I use sslbump, I can't have parent proxy.
>

Should work most of the time. Just be aware there is at least one bug.
We know it bites badly when there is auth involved, other circumstances
are unknown.


> -----Original Message-----
> From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Sent: January-26-11 5:53 PM
> To: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] sslbump and always_direct
>
> On Wed, 26 Jan 2011 20:18:08 +0000, Ming Fu wrote:
>> Hi,
>>
>>
>> The wiki sample http://wiki.squid-cache.org/Features/SslBump suggested
>> addi= ng "always_direct allow all".
>>
>> This will prevent me from having a peer proxy when sslbump is
> configured.
>>
>> Wonder what is the reason behind the setting.
>
> With ssl-bump Squid will hit bugs when un-wrapping back to a CONNECT
> request or may send raw unencrypted https://... URLs to the peers.
>

Amos
--
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.10
   Beta testers wanted for 3.2.0.4
Received on Fri Jan 28 2011 - 13:29:23 MST

This archive was generated by hypermail 2.2.0 : Fri Jan 28 2011 - 12:00:04 MST