Thanks for clarifying, Alex. We tried this config but Safari still doesn’t like it, sadly.
I feel like if server-first is working there must be *some* combination of peek/stare/bump that’ll work too—it can’t be that “forward secrecy” cipher stuff. I really don’t want our customers to have to use server-first if they decide to employ bumping, so if any of you smart people have any other suggestions, please send them through. Thanks > On 15 Oct 2015, at 1:34 AM, Alex Rousskov <rouss...@measurement-factory.com> > wrote: > > On 10/13/2015 09:08 PM, Dan Charlesworth wrote: > >> But in reality ssl_bump peek step1 & ssl_bump bump step3 is actually >> splicing everything, it seems. > > > This may not be related to your specific problem, but I want to clarify > the above. > > ssl_bump peek step1 > ssl_bump bump step3 > > A recent Squid mis-configured using the above sketch should indeed > splice everything. When Squid reaches bumping step2, no ssl_bump rule > matches, so Squid uses the previous step rule to decide what to do. > Since peeking implies splicing, Squid splices at step2 and never gets to > step3. > > It is possible that, in his "bump at step3" recommendation below, Amos > was talking about this kind of configuration: > > ssl_bump stare all > ssl_bump bump all > > Bugs notwithstanding, the above results in bumping at step3. > > Alex. > > >>> On 14 Oct 2015, at 1:51 PM, Amos Jeffries <squ...@treenet.co.nz> wrote: >>> >>> On 14/10/2015 1:13 p.m., Dan Charlesworth wrote: >>>> Throwing this out to the list in case anyone else might be trying to get >>>> SSL Bump to work with the latest version of Safari. >>>> >>>> Every other browser on OS X (and iOS) is happy with bumping for pretty >>>> much all HTTPS sites, so long as the proxy’s CA is trusted. >>>> >>>> However Safari throws generic “secure connection couldn’t be established” >>>> errors for many popular HTTPS sites in including: >>>> - wikipedia.org >>>> - mail.google.com >>>> - twitter.com >>>> - github.com >>>> >>>> But quite a number of others work, such as youtube.com. >>>> >>>> This error gets logged to the system whenever it occurs: >>>> com.apple.WebKit.Networking: NSURLSession/NSURLConnection HTTP load failed >>>> (kCFStreamErrorDomainSSL, -9802) >>>> >>>> Apparently this is related to Apple’s new “App Transport Security” >>>> protections, in particular, the fact that “the server doesn’t support >>>> forward secrecy”. Even though it doesn’t seem to be affecting mobile >>>> Safari on iOS 9 at all. >>>> >>>> It’s also notable that Safari seems perfectly happy with legacy >>>> server-first SSL bumping. >>>> >>>> I’m using Squid 3.5.10 and this is my current config: >>>> https://gist.github.com/djch/9b883580c6ee84f31cd1 >>>> >>>> Anyone have any idea what I can try? >>> >>> You can try bump at step3 (roughly equivalent to server-first) instead >>> of step2 (aka client-first). >>> >>> >>> Amos >>> >>> _______________________________________________ >>> squid-users mailing list >>> squid-users@lists.squid-cache.org >>> http://lists.squid-cache.org/listinfo/squid-users >> >> _______________________________________________ >> squid-users mailing list >> squid-users@lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
