[squid-users] Internet Explorer error with SSL bumping

[Amos Jeffries]

On 29/08/2015 12:17 a.m., Oliver Webb wrote:
> Thanks for your reply Amos. I will explain a bit more of my setup in the hope it clarifies a few of the issues.
> 
> I have installed the certificate portion of squids key/cert into the trusted root store of all the devices concerned all clients see the "server's" certificate as being signed by squid's private key not the origin servers.
> I have the following line in squid.conf to specifically stop the use of SSL
>     sslproxy_options NO_SSLv2 NO_SSLv3 SINGLE_DH_USE

The OpenSSL options list is ':' or ',' separated. Not spaces.

What you have there is actually just:

 sslproxy_options NO_SSLv2



> If I navigate to the internal test site I have just created that has a self signed certificate the self signed cert gets passed through to the client for them to make their own decision
> 
> If there is no easy solution I will just avoid IE, which I won't be too upset about.
> 

The problem would seem to be the OpenSSL support at the client end not
overlapping with the support in the Squid library. Which is always a
problem when dealing with very old vs very new library versions.

There are combinations like IE only supporting TLS 1.0 (the default
until last year IIRC) and the latest most modern library behind the
proxy only supporting TLS/1.1 or later.

I assumed that you did already try following IEs error page instruction
("Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings"). Is that
correct?

Amos