[squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/

Jason Haar Jason_Haar at trimble.com
Sat Oct 3 08:19:32 UTC 2015

On 03/10/15 19:16, Amos Jeffries wrote:
> Anyhow, there have been long periods (12-18 months IIRC) where they
> were not trusted as a global CA. If your CA certificates set is from one
> of those periods your Squid will not be able to verify trust of the
> origin cert.
Should that show up in the logs somewhere? Put it this way: we have a
situation where "something" is causing a website that works without bump
to not work with it. If squid doesn't "like" something, could it
"auto-splice" - or at the very least log that there's a problem?

I'd like to find out what squid doesn't like about it because I could
probably update my external_acl_type script to detect that situation and
make squid splice the session (BTW my script already verifies the real
cert using the same CAs file that squid uses and it says it's legit - so
I don't think it's actually got anything to do with the CA itself)


Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the squid-users mailing list