[squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/

Jason Haar Jason_Haar at trimble.com
Fri Oct 2 06:58:19 UTC 2015

Just a reminder people, but you've gone off-topic. The postbank.de
website issue has NOTHING to do with pining

Someone mentioned earlier it's due to the HTTPS cert not having a
complete cert-chain, and that web browsers auto-correct that situation,
but squid does not. So I would say either squid should:

1. implement the same sort of auto-correction code (say) Firefox does
(which I bet is a lot of work), or
2. flick into splice-mode when there's a cert error (which could be as
much work - I dunno)

I use external_acl_type to call an external script that tries to achieve
that. Basically it manually downloads the homepage to get the cert,
checks if it's valid against the OS CA list and if not, returns ERR so
that squid splice's the connection instead of bump-ing it. Means the
entire connection blocks of course the first time this occurs, but after
that caches it and it mostly works.


Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the squid-users mailing list