[squid-users] Internet Explorer error with SSL bumping

[Amos Jeffries]

On 28/08/2015 9:58 p.m., Oliver Webb wrote:
> I have transparent SSL bumping working perfectly in Chrome and
> Safari
(iOS and Windows 7) and Internet Explorer *on Windows Phone*, and by
perfectly I mean no certificate warnings of any description for any site
everything just behaves normally (apart from the sites certificate being
signed by me.) However in Internet Explorer 11 on Windows 7 I get the
following message for all secure bumped sites (secure sites like ebay
for example load fine because I have configured not to be bumped and
also unsecure sites load fine as well)

>      This page can’t be displayed
> 
>      Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to 
>      https://google.co.uk again. If this error persists, contact your site administrator.
> 
> I just wondered if anyone had any bright ideas as to what might be up.

The complete lack of warnings is a BAD sign. It means the certificate
mimic feature is probably is not working at all.

Mimic is supposed to pass certificate flaws in the server certs through
to the client/browser so all the security go/die decisions can be made
by the end-users own preference confg.


The error message you show implies that you have configured your proxy
for SSLv3-only or SSLv2-only. At least on the listening ports the
browser is connecting to. Though since it was displayed by a browser we
can't be 100% sure it contains truth (SSL-bump is feeding some bold lies
to it).


PS. If not 3.5.7 or a later snapshot please try an upgrade.

PPS. I'm told people are having pain from OpenSSL 0.9.8 apparently
trying to do TLS/1.0 in a way Squid does not handle properly right now.
If that library version is installed on the client you may need to wait
for a fix the guys are working on as I type this (ETA unknown). Though
if you can get the client to upgrade to a more current and secure
OpenSSL that would be even better.

Amos