Re: [squid-users] Firefox update problems

From: Nathan Hoad <nathan_at_getoffmalawn.com>
Date: Tue, 7 Jan 2014 17:00:24 +1100

If you're accessing Squid as a transparent proxy, you can add in a
firewall rule to exclude the IP addresses of Mozilla's servers from
being redirected to Squid.

If you're using Squid as a direct proxy, you can add an SSL bump
exclusion in your squid.conf like so:

acl sslbump_exclusions dstdomain domain.you.want.to.exclude
ssl_bump none sslbump_exclusions

This will prevent Squid from attempting to decrypt the traffic after
the initial CONNECT request. Note that this assumes the clients using
Squid will send the domain in the CONNECT requests - if you want to
cover the clients that don't do this, use the 'dst' acl type instead:

acl sslbump_exclusions_ip dst 1.2.3.4
ssl_bump none sslbump_exclusions_ip

Nathan.

--
Nathan Hoad
Software Developer
www.getoffmalawn.com
On Tue, Jan 7, 2014 at 11:59 AM, Roman Gelfand <rgelfand2_at_gmail.com> wrote:
> I have an ssl bump setup with ssl_bump server-first all.
>
> When firefox is attempting an update, end user gets error "something
> is trying to trick firefox into accepting an insecure update".
>
> From what I gathered, unless I am wrong, firefox doesn't like when
> certificate changes in the middle.
>
> In any case, is there a way to deal with this either specifically
> bypassing ssl bump or something else?
>
> Thanks in advance
Received on Tue Jan 07 2014 - 06:00:57 MST

This archive was generated by hypermail 2.2.0 : Tue Jan 07 2014 - 12:00:04 MST