[squid-users] Squid "bumping" traffic despite using "splice" directive

[Tom Mowbray]

We're seeing some strange behavior where certain sites, especially those
hosted by Google, including youtube.com, where the HTTPS traffic is being
"bumped" and users are getting certificate errors with our self-signed
certificate and CA appearing in the certificate details.

What is strange is that we have the squid.conf set to either "splice" or
"terminate" all HTTPS traffic.  There is NO traffic that is supposed to be
bumped at all (because we are not able to load our CA cert on all client
machines).

Here is the significant portion of our squid.conf:

acl sslallow ssl::server_name "/path/to/file"
ssl_bump peek all
ssl_bump splice sslallow
ssl_bump terminate all

Most of the sites in acl sslallow work as expected...but some sites come
back with a certificate error as described above, suggesting that they were
"bumped" using our mimicked certificate.  This behavior also isn't 100%
reproducible...sometimes it works as expected, though it usually does not.

Another note:  Seems to happen mainly on mobile browsers and on Chrome
browser running on Google Chromebooks.

Is there something I'm missing?  Is there a way to ensure that NO sites are
being bumped at all?  (For our deployment, we'd rather terminate than bump
if splicing isn't possible).

Thanks,

Tom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151112/9a1799b5/attachment.html>