[squid-users] Safari 9 vs. SSL Bump

Dan Charlesworth dan at getbusi.com
Fri Oct 16 00:34:15 UTC 2015


So ignoring the “bumpable” helper check, it’s effectively peeking at step1 and then bumping it like my config’s doing.

I wonder what else could be differentiating it. Is your proxy CA just installed in the Login keychain?

> On 16 Oct 2015, at 11:26 AM, Jason Haar <Jason_Haar at trimble.com> wrote:
> On 16/10/15 13:08, Dan Charlesworth wrote:
>> I seem to recall this happening on 10.10 as well, but it could be an El Capitan thing. Do you mind reminding me of your squid config Jason?
> With my config I trying to "aggressively" figure out if the transaction
> is safely going to be bump-able. I'm more willing to throw away (ie
> splice) things I'm unsure about than risk a client seeing an error. But
> for the websites you see problems with, I see nice clean bump-ing
> http_port 3128 ssl-bump cert=/etc/squid/squidCA.cert 
> generate-host-certificates=on dynamic_cert_mem_cache_size=256MB options=ALL
> acl DiscoverSNIHost at_step SslBump1
> ssl_bump peek DiscoverSNIHost
> #do we have a SNI? If not, it's not TLS
> acl SNIpresent ssl::server_name_regex .*
> #this file contains https sites that we do not intercept - such as banks
> (because we want the data transfers to remain private)
> #and accounts.google.com (because Chrome uses cert pinning for that domain)
> # in general you will need to add all sites that involve cert pinning
> acl NoSSLIntercept ssl::server_name_regex -i
> "/etc/squid/acl-NoSSLIntercept.txt"
> #this external_acl process will sanity-check HTTPS transactions that
> haven't being spliced yet
> #to ensure only the correct ones end up being bumped
> external_acl_type checkIfHTTPS children-max=20 concurrency=20
> negative_ttl=3600 ttl=3600 grace=90  %SRC %DST %PORT %ssl::>sni
> /usr/local/bin/confirm_https.pl
> acl is_ssl external checkIfHTTPS
> ssl_bump splice !SNIpresent
> ssl_bump splice NoSSLIntercept
> ssl_bump bump is_ssl
> -- 
> Cheers
> Jason Haar
> Corporate Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list