[squid-users] Internet Explorer error with SSL bumping

Oliver Webb ow97 at outlook.com
Fri Aug 28 12:17:20 UTC 2015

Thanks for your reply Amos. I will explain a bit more of my setup in the hope it clarifies a few of the issues.

I have installed the certificate portion of squids key/cert into the trusted root store of all the devices concerned all clients see the "server's" certificate as being signed by squid's private key not the origin servers.
I have the following line in squid.conf to specifically stop the use of SSL
    sslproxy_options NO_SSLv2 NO_SSLv3 SINGLE_DH_USE
If I navigate to the internal test site I have just created that has a self signed certificate the self signed cert gets passed through to the client for them to make their own decision

If there is no easy solution I will just avoid IE, which I won't be too upset about.


> To: squid-users at lists.squid-cache.org
> From: squid3 at treenet.co.nz
> Date: Fri, 28 Aug 2015 23:28:53 +1200
> Subject: Re: [squid-users] Internet Explorer error with SSL bumping
> On 28/08/2015 9:58 p.m., Oliver Webb wrote:
>> I have transparent SSL bumping working perfectly in Chrome and
>> Safari
> (iOS and Windows 7) and Internet Explorer *on Windows Phone*, and by
> perfectly I mean no certificate warnings of any description for any site
> everything just behaves normally (apart from the sites certificate being
> signed by me.) However in Internet Explorer 11 on Windows 7 I get the
> following message for all secure bumped sites (secure sites like ebay
> for example load fine because I have configured not to be bumped and
> also unsecure sites load fine as well)
>> This page can’t be displayed
>> Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to
>> https://google.co.uk again. If this error persists, contact your site administrator.
>> I just wondered if anyone had any bright ideas as to what might be up.
> The complete lack of warnings is a BAD sign. It means the certificate
> mimic feature is probably is not working at all.
> Mimic is supposed to pass certificate flaws in the server certs through
> to the client/browser so all the security go/die decisions can be made
> by the end-users own preference confg.
> The error message you show implies that you have configured your proxy
> for SSLv3-only or SSLv2-only. At least on the listening ports the
> browser is connecting to. Though since it was displayed by a browser we
> can't be 100% sure it contains truth (SSL-bump is feeding some bold lies
> to it).
> PS. If not 3.5.7 or a later snapshot please try an upgrade.
> PPS. I'm told people are having pain from OpenSSL 0.9.8 apparently
> trying to do TLS/1.0 in a way Squid does not handle properly right now.
> If that library version is installed on the client you may need to wait
> for a fix the guys are working on as I type this (ETA unknown). Though
> if you can get the client to upgrade to a more current and secure
> OpenSSL that would be even better.
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list