[squid-users] iOS 8 and ssl_bump: Anyone working?

inetjunkmail inetjunkmail at gmail.com
Fri Oct 31 12:05:12 UTC 2014 

Thanks for your input.  After further testing (which I thought I already
tested and determined was not the case...), it looks like it fails any time
a certificate is "broken" when using a proxy server even with ssl bumping
turned off.  If I use a host file to make the cert name not match, I get
the same error.  Browse to a site with a set signed cert, same error.  So
this seems to be a little more generic of an issue than I suspected.  I
appreciate your feedback.  We'll re-engage Apple with the new details and
see how it goes.

On Thu, Oct 30, 2014 at 9:12 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 31/10/2014 8:30 a.m., inetjunkmail wrote:
> > We have an explicit squid proxy running ssl bump that works fine
> > for iOS 7 but Safari on iOS 8 gives an error stating that "There
> > was a problem communicating with the secure web proxy server
> > (HTTPS)."  when browsing to an SSL site that is bumped.
> >
> > We can wipe an iOS 7 device, add the proxy CA to the trust store,
> > and successfully browse to an intercepted site.  Doing the same
> > process with iOS 8 reveals the error.
> >
> > The error has been reproduced on two other intercepting proxy
> > solutions.
> >
> > Accessing SSL sites directly or non-intercepted is fine even if
> > the certificate is self signed or untrusted in any way.
> >
> > We've tried contacting Apple and they are pressing hard to close
> > the case saying that they don't support interception; contact the
> > vendor.  The fact that it works fine with iOS 7, and the same error
> > is reproducible with 3 separate SSL interception proxies suggests
> > to me it's on them.
>
>
> Perhapse it is a result of the arms-race happening in the SSL/TLS
> area. Try upgrading to the latest Squid-3.5 and see if the bumping
> features there help. We know for certain that the ssl-bump features in
> 3.2 and 3.3 are useless with a growing number of websites using HSTS
> and "cert-pinning".
>
>
> But I dont think it is that clearly "on them". Interception *is* an
> attack on your users, and illegal in a lot of cases as well. It is
> reasonable for them not to support it.
>
>
> >
> > Is anyone else running into this?  Is anyone else working?
>
> You are the first person noticably involved with MacOS / iOS in any
> way to post anything here in a long while. So unless you get a direct
> the answer assume it is "none of us use iOS like this".
>
> Amos
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (MingW32)
>
> iQEcBAEBAgAGBQJUUuIDAAoJELJo5wb/XPRjSQ4H/iqQu8RtxDTnrx1o9TnCdNDm
> g806kzuJ6h1k63oG7MaVlWu0FMkqw0XL1eq1dzqj9gT/qq9xQ08vDh6+TS9l8jn6
> oOvUef/5i5FhZ0X7Ixa1d9JNzFLwVeZdrUwwxW3m0cPFMDHonxnJ1vYYk8F7oBlQ
> 6c1/4teZ4U42JDTKGtTl+rI3HimrcSSnNuMYtyZ5uVooWK3nZcUnGDPjEr0iZXtM
> qrQo1H/ZgaVfa0uaBKb2e5sXvBcwtec1kP++v34WY4gIVFzvfor4slMAXhmg3XBV
> zBD6sn66Uy6GoAknspvh4N4eQoujdF6GKp44xUk1RvdPb/7We0DwaiJh8iry30Y=
> =2lH3
> -----END PGP SIGNATURE-----
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141031/99216c00/attachment.html>

More information about the squid-users mailing list