Re: [squid-users] Safari 9 vs. SSL Bump

2015-10-18 Thread Amos Jeffries
On 19/10/2015 12:35 p.m., Dan Charlesworth wrote: > Amos - > > I’m going to assume that request was directed at Alex, as I don’t have editor > access to the wiki. Let me know if not. > You or Jason actually, one who knows what to write :-) If you have or signup for a wiki account I can assign

Re: [squid-users] Safari 9 vs. SSL Bump

2015-10-18 Thread Dan Charlesworth
Amos - I’m going to assume that request was directed at Alex, as I don’t have editor access to the wiki. Let me know if not. > On 16 Oct 2015, at 4:22 PM, Amos Jeffries wrote: > > Can you please add to the Troubleshooting section at the end of >

Re: [squid-users] Safari 9 vs. SSL Bump

2015-10-15 Thread Amos Jeffries
Can you please add to the Troubleshooting section at the end of ? a brief sentence describing the symptom(s), then what what done to resolve it would be great. Amos ___ squid-users mailing list sq

Re: [squid-users] Safari 9 vs. SSL Bump

2015-10-15 Thread Dan Charlesworth
So after all that, it was my choice of keychain that was the problem. Every HTTPS site works with the CA cert in the System keychain as opposed to login. I’ll put that down to OS X probably using some system-level processes to do some of Safari’s work, or something. Thanks Alex, Amos, and Jason

Re: [squid-users] Safari 9 vs. SSL Bump

2015-10-15 Thread Dan Charlesworth
Great, thanks. Don’t know why I didn’t think of it before but I’ll try elevating it from Login -> System keychain and see what happens. > On 16 Oct 2015, at 11:51 AM, Jason Haar wrote: > > On 16/10/15 13:34, Dan Charlesworth wrote: >> Thanks! >> >> So ignoring the “bumpable” helper check, it’s

Re: [squid-users] Safari 9 vs. SSL Bump

2015-10-15 Thread Jason Haar
On 16/10/15 13:34, Dan Charlesworth wrote: > Thanks! > > So ignoring the “bumpable” helper check, it’s effectively peeking at step1 > and then bumping it like my config’s doing. > > I wonder what else could be differentiating it. Is your proxy CA just > installed in the Login keychain? Nope - di

Re: [squid-users] Safari 9 vs. SSL Bump

2015-10-15 Thread Dan Charlesworth
Thanks! So ignoring the “bumpable” helper check, it’s effectively peeking at step1 and then bumping it like my config’s doing. I wonder what else could be differentiating it. Is your proxy CA just installed in the Login keychain? > On 16 Oct 2015, at 11:26 AM, Jason Haar wrote: > > On 16/10/

Re: [squid-users] Safari 9 vs. SSL Bump

2015-10-15 Thread Jason Haar
On 16/10/15 13:08, Dan Charlesworth wrote: > ORLY > > I seem to recall this happening on 10.10 as well, but it could be an El > Capitan thing. Do you mind reminding me of your squid config Jason? With my config I trying to "aggressively" figure out if the transaction is safely going to be bump-ab

Re: [squid-users] Safari 9 vs. SSL Bump

2015-10-15 Thread Dan Charlesworth
ORLY I seem to recall this happening on 10.10 as well, but it could be an El Capitan thing. Do you mind reminding me of your squid config Jason? Thanks! > On 16 Oct 2015, at 11:06 AM, Jason Haar wrote: > > Just a data point, but I've just got up Safari on Yosemite connecting > through squid-3

Re: [squid-users] Safari 9 vs. SSL Bump

2015-10-15 Thread Jason Haar
Just a data point, but I've just got up Safari on Yosemite connecting through squid-3.5.10 to https://wikipedia.org/ with full bump-ing with no problems. Same with twitter.com and github.com. Click on the padlock shows the server cert chaining to my squidCA cert (which is trusted of course) ie th

Re: [squid-users] Safari 9 vs. SSL Bump

2015-10-14 Thread Alex Rousskov
On 10/14/2015 05:00 PM, Dan Charlesworth wrote: > I feel like if server-first is working there must be *some* > combination of peek/stare/bump that’ll work too—it can’t be that > “forward secrecy” cipher stuff. While that feeling is natural, you should resist it. Newer SslBump actions do not sim

Re: [squid-users] Safari 9 vs. SSL Bump

2015-10-14 Thread Dan Charlesworth
Thanks for clarifying, Alex. We tried this config but Safari still doesn’t like it, sadly. I feel like if server-first is working there must be *some* combination of peek/stare/bump that’ll work too—it can’t be that “forward secrecy” cipher stuff. I really don’t want our customers to have to

Re: [squid-users] Safari 9 vs. SSL Bump

2015-10-14 Thread Alex Rousskov
On 10/13/2015 09:08 PM, Dan Charlesworth wrote: > But in reality ssl_bump peek step1 & ssl_bump bump step3 is actually > splicing everything, it seems. This may not be related to your specific problem, but I want to clarify the above. ssl_bump peek step1 ssl_bump bump step3 A recent Squid

Re: [squid-users] Safari 9 vs. SSL Bump

2015-10-13 Thread Amos Jeffries
On 14/10/2015 5:03 p.m., Dan Charlesworth wrote: > I meant to say “forward secrecy”, which appears to be a list of specific > ciphers: > https://developer.apple.com/library/watchos/technotes/App-Transport-Security-Technote/index.html > > Anyone know how to translate that list of ciphers to use in

Re: [squid-users] Safari 9 vs. SSL Bump

2015-10-13 Thread Dan Charlesworth
I meant to say “forward secrecy”, which appears to be a list of specific ciphers: https://developer.apple.com/library/watchos/technotes/App-Transport-Security-Technote/index.html Anyone know how to translate that list of ciphers to use in sslproxy_cipher in squid.conf? > On 14 Oct 2015, at 2:39

Re: [squid-users] Safari 9 vs. SSL Bump

2015-10-13 Thread Dan Charlesworth
¯\_(ツ)_/¯ All I really have to go on is those errors com.apple.WebKit.Networking is logging which apparently points to a specific thing it’s missing called “forward transport security”. Only the peek@step1 seems to make it as far as any of squid’s logs. No other browsers affected that I can f

Re: [squid-users] Safari 9 vs. SSL Bump

2015-10-13 Thread Jason Haar
On 14/10/15 16:08, Dan Charlesworth wrote: > I thought that fixed it for a second … > > But in reality ssl_bump peek step1 & ssl_bump bump step3 is actually splicing > everything, it seems. > > Any other advice? :-) Could this imply be a pinning issue? ie does Safari track the CAs used by those s

Re: [squid-users] Safari 9 vs. SSL Bump

2015-10-13 Thread Dan Charlesworth
I thought that fixed it for a second … But in reality ssl_bump peek step1 & ssl_bump bump step3 is actually splicing everything, it seems. Any other advice? :-) > On 14 Oct 2015, at 1:51 PM, Amos Jeffries wrote: > > On 14/10/2015 1:13 p.m., Dan Charlesworth wrote: >> Throwing this out to the

Re: [squid-users] Safari 9 vs. SSL Bump

2015-10-13 Thread Amos Jeffries
On 14/10/2015 1:13 p.m., Dan Charlesworth wrote: > Throwing this out to the list in case anyone else might be trying to get SSL > Bump to work with the latest version of Safari. > > Every other browser on OS X (and iOS) is happy with bumping for pretty much > all HTTPS sites, so long as the prox

[squid-users] Safari 9 vs. SSL Bump

2015-10-13 Thread Dan Charlesworth
Throwing this out to the list in case anyone else might be trying to get SSL Bump to work with the latest version of Safari. Every other browser on OS X (and iOS) is happy with bumping for pretty much all HTTPS sites, so long as the proxy’s CA is trusted. However Safari throws generic “secure