<div dir="ltr">Thanks for your input. After further testing (which I thought I already tested and determined was not the case...), it looks like it fails any time a certificate is "broken" when using a proxy server even with ssl bumping turned off. If I use a host file to make the cert name not match, I get the same error. Browse to a site with a set signed cert, same error. So this seems to be a little more generic of an issue than I suspected. I appreciate your feedback. We'll re-engage Apple with the new details and see how it goes.</div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 30, 2014 at 9:12 PM, Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
On 31/10/2014 8:30 a.m., inetjunkmail wrote:<br>
> We have an explicit squid proxy running ssl bump that works fine<br>
> for iOS 7 but Safari on iOS 8 gives an error stating that "There<br>
> was a problem communicating with the secure web proxy server<br>
> (HTTPS)." when browsing to an SSL site that is bumped.<br>
><br>
> We can wipe an iOS 7 device, add the proxy CA to the trust store,<br>
> and successfully browse to an intercepted site. Doing the same<br>
> process with iOS 8 reveals the error.<br>
><br>
> The error has been reproduced on two other intercepting proxy<br>
> solutions.<br>
><br>
> Accessing SSL sites directly or non-intercepted is fine even if<br>
> the certificate is self signed or untrusted in any way.<br>
><br>
> We've tried contacting Apple and they are pressing hard to close<br>
> the case saying that they don't support interception; contact the<br>
> vendor. The fact that it works fine with iOS 7, and the same error<br>
> is reproducible with 3 separate SSL interception proxies suggests<br>
> to me it's on them.<br>
<br>
<br>
Perhapse it is a result of the arms-race happening in the SSL/TLS<br>
area. Try upgrading to the latest Squid-3.5 and see if the bumping<br>
features there help. We know for certain that the ssl-bump features in<br>
3.2 and 3.3 are useless with a growing number of websites using HSTS<br>
and "cert-pinning".<br>
<br>
<br>
But I dont think it is that clearly "on them". Interception *is* an<br>
attack on your users, and illegal in a lot of cases as well. It is<br>
reasonable for them not to support it.<br>
<br>
<br>
><br>
> Is anyone else running into this? Is anyone else working?<br>
<br>
You are the first person noticably involved with MacOS / iOS in any<br>
way to post anything here in a long while. So unless you get a direct<br>
the answer assume it is "none of us use iOS like this".<br>
<br>
Amos<br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.22 (MingW32)<br>
<br>
iQEcBAEBAgAGBQJUUuIDAAoJELJo5wb/XPRjSQ4H/iqQu8RtxDTnrx1o9TnCdNDm<br>
g806kzuJ6h1k63oG7MaVlWu0FMkqw0XL1eq1dzqj9gT/qq9xQ08vDh6+TS9l8jn6<br>
oOvUef/5i5FhZ0X7Ixa1d9JNzFLwVeZdrUwwxW3m0cPFMDHonxnJ1vYYk8F7oBlQ<br>
6c1/4teZ4U42JDTKGtTl+rI3HimrcSSnNuMYtyZ5uVooWK3nZcUnGDPjEr0iZXtM<br>
qrQo1H/ZgaVfa0uaBKb2e5sXvBcwtec1kP++v34WY4gIVFzvfor4slMAXhmg3XBV<br>
zBD6sn66Uy6GoAknspvh4N4eQoujdF6GKp44xUk1RvdPb/7We0DwaiJh8iry30Y=<br>
=2lH3<br>
-----END PGP SIGNATURE-----<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div><br></div>