[squid-users] 3.5.8 — SSL Bump questions

Dan Charlesworth dan at getbusi.com
Tue Sep 8 05:36:19 UTC 2015


Hello all

I’ve been testing out an SSL bumping config using 3.5.8 for the last week or so and am scratching my head over a couple of things.

First, here’s my config (shout out to James Lay):

acl tcp_level at_step SslBump1
acl client_hello_peeked at_step SslBump2
acl bump_bypass_domains ssl::server_name “/path/to/some/domains.txt"
ssl_bump splice client_hello_peeked bump_bypass_domains
ssl_bump bump client_hello_peeked

1. Why don’t spliced connections get a user agent logged like explicit CONNECTs do?

2. Safari produces this error visiting all sorts of websites (github, wikipedia, gmail):
Error negotiating SSL connection on FD 15: error:140A1175:SSL routines:SSL_BYTES_TO_CIPHER_LIST:inappropriate fallback (1/-1)

… whereas Chrome and Firefox do not. What’s the story with this one?

Thanks!

P.S. If it makes any difference, this is using an RPM I built for CentOS 6 using openssl-1.0.1e-42.el6.x86_64.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150908/f445f5c5/attachment-0001.html>


More information about the squid-users mailing list