On 06/15/2014 12:31 PM, Douglas Davenport wrote:
> Interesting, I thought bump server first solved this type of problem.
In server-first bumping, Squid just mimics whatever certificate the
server responds with. If the server responds with the "wrong"
certificate, Squid mimics that.
> I wonder how is google serving different certs for gmail.com vs
> mail.google.com at the same IP is this SNI. Is that something squid is
> likely to support one day?
It sounds like SNI could indeed be involved here. IIRC,
bump-server-first does not forward SNI to the origin server because
Squid does not know the client SNI at server bumping time.
Consider trying SSL Peek and Splice. I am not 100% sure it forwards SNI
today, but that feature builds the necessary [complex!] infrastructure
to do so: http://wiki.squid-cache.org/Features/SslPeekAndSplice
HTH,
Alex.
>> On 06/13/2014 09:56 PM, Douglas Davenport wrote:
>>>
>>> I have squid 3.3.10 setup with sslbump working for all sites except
>>> when a user tries to type in gmail.com. For some reason the browser
>>> complains about certificate name mismatch. On examination the
>>> generated cert is actually for mail.google.com. Apparently google is
>>> redirecting buy why does this error happen only with sslbump. Anyone
>>> else have this issue, workarounds?
>>>
>>> Thanks in advance!
>>>
>>
Received on Mon Jun 16 2014 - 16:26:58 MDT
This archive was generated by hypermail 2.2.0 : Tue Jun 17 2014 - 12:00:06 MDT