On 15/05/2013 4:30 p.m., neeraj kharbanda wrote:
> thanks for reply. What are the work arounds if there are any.
> regards
If the "problem" is sites actually using SSL properly. Then no there are
no workarounds. SSL was designed to prevent eavesdropping - it does so
very well when used properly and Squid cannot change or workaround that.
If the problem is alternative protocols in use, then check your using an
up to date Squid release. We have them tunnelling intercepted non-HTTPS
traffic when possible now. The problem is mostly to do with client
handling of the errors though - if thats broken "tough luck".
Amos
> On Mon, May 13, 2013 at 4:57 AM, Amos Jeffries wrote:
>> On 13/05/2013 3:03 a.m., neeraj kharbanda wrote:
>>> Hi,
>>> why some sites dont open when redirected through squid ?? Mostly
>>> secure sites. I'm using snat redirection of iptables.
>>
>> Because SSL is a security protocol designed to prevent interception such as
>> NAT.
>>
>> Any site which is *correctly* using SSL/TLS security procedures with
>> validation at both client and server ends will not work when NAT'ed to a
>> proxy. Some sites have been doing that for a long time, and as SSL
>> interception of half-validating sites is growing in popularity so are the
>> number of sites which are improving their validations.
>>
>> Also, port 443 is used for approximately 5 different protocols these days.
>> HTTPS, WebSockets, and several versions of SPDY. Sites using any of the
>> non-HTTPS will not work well through an HTTP(S) intercepting Squid.
>>
>>
>> Amos
>
>
Received on Wed May 15 2013 - 11:36:23 MDT
This archive was generated by hypermail 2.2.0 : Wed May 15 2013 - 12:00:10 MDT