Thanks for your input. After further testing (which I thought I already tested and determined was not the case...), it looks like it fails any time a certificate is "broken" when using a proxy server even with ssl bumping turned off. If I use a host file to make the cert name not match, I get the same error. Browse to a site with a set signed cert, same error. So this seems to be a little more generic of an issue than I suspected. I appreciate your feedback. We'll re-engage Apple with the new details and see how it goes.
On Thu, Oct 30, 2014 at 9:12 PM, Amos Jeffries <squ...@treenet.co.nz> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 31/10/2014 8:30 a.m., inetjunkmail wrote: > > We have an explicit squid proxy running ssl bump that works fine > > for iOS 7 but Safari on iOS 8 gives an error stating that "There > > was a problem communicating with the secure web proxy server > > (HTTPS)." when browsing to an SSL site that is bumped. > > > > We can wipe an iOS 7 device, add the proxy CA to the trust store, > > and successfully browse to an intercepted site. Doing the same > > process with iOS 8 reveals the error. > > > > The error has been reproduced on two other intercepting proxy > > solutions. > > > > Accessing SSL sites directly or non-intercepted is fine even if > > the certificate is self signed or untrusted in any way. > > > > We've tried contacting Apple and they are pressing hard to close > > the case saying that they don't support interception; contact the > > vendor. The fact that it works fine with iOS 7, and the same error > > is reproducible with 3 separate SSL interception proxies suggests > > to me it's on them. > > > Perhapse it is a result of the arms-race happening in the SSL/TLS > area. Try upgrading to the latest Squid-3.5 and see if the bumping > features there help. We know for certain that the ssl-bump features in > 3.2 and 3.3 are useless with a growing number of websites using HSTS > and "cert-pinning". > > > But I dont think it is that clearly "on them". Interception *is* an > attack on your users, and illegal in a lot of cases as well. It is > reasonable for them not to support it. > > > > > > Is anyone else running into this? Is anyone else working? > > You are the first person noticably involved with MacOS / iOS in any > way to post anything here in a long while. So unless you get a direct > the answer assume it is "none of us use iOS like this". > > Amos > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (MingW32) > > iQEcBAEBAgAGBQJUUuIDAAoJELJo5wb/XPRjSQ4H/iqQu8RtxDTnrx1o9TnCdNDm > g806kzuJ6h1k63oG7MaVlWu0FMkqw0XL1eq1dzqj9gT/qq9xQ08vDh6+TS9l8jn6 > oOvUef/5i5FhZ0X7Ixa1d9JNzFLwVeZdrUwwxW3m0cPFMDHonxnJ1vYYk8F7oBlQ > 6c1/4teZ4U42JDTKGtTl+rI3HimrcSSnNuMYtyZ5uVooWK3nZcUnGDPjEr0iZXtM > qrQo1H/ZgaVfa0uaBKb2e5sXvBcwtec1kP++v34WY4gIVFzvfor4slMAXhmg3XBV > zBD6sn66Uy6GoAknspvh4N4eQoujdF6GKp44xUk1RvdPb/7We0DwaiJh8iry30Y= > =2lH3 > -----END PGP SIGNATURE----- > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
