several sites - cloudflare not working with ssl-bump ...

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

several sites - cloudflare not working with ssl-bump ...

Walter H.
Hello,

can someone explain, why
sites as https://dnslytics.com/
do not work any more if 'server-first',
they only work with 'client-first' why?

Thanks,
Walter


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: several sites - cloudflare not working with ssl-bump ...

Amos Jeffries
Administrator
On 25/02/20 5:00 am, Walter H. wrote:
> Hello,
>
> can someone explain, why
> sites as https://dnslytics.com/
> do not work any more if 'server-first',
> they only work with 'client-first' why?
>

Not with the lack of information supplied.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: several sites - cloudflare not working with ssl-bump ...

Walter H.
In reply to this post by Walter H.
On Tue, February 25, 2020 06:30, Amos Jeffries wrote:

> On 25/02/20 5:00 am, Walter H. wrote:
>> Hello,
>>
>> can someone explain, why
>> sites as https://dnslytics.com/
>> do not work any more if 'server-first',
>> they only work with 'client-first' why?
>>
>
> Not with the lack of information supplied.
>
> Amos

part of my squid.conf

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl nobumpsites ssl::server_name "/etc/squid/sslnobumpsites-acl.squid"

# this doesn't work, my own Site also only with SNI works
ssl_bump peek step1
ssl_bump splice nobumpsites
ssl_bump stare step2
ssl_bump bump all

# this works
#ssl_bump client-first

# this doesn't work with these sites
#ssl_bump server-first

even WGET shows this:
ERROR: no certificate subject alternative name matches
which means that SNI isn't correctly handled, but why and which part of
the chain is causing this?

this problem is since e.g. dnslytics.com got a new SSL certificate this year

Thanks,
Walter



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users