<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Hi All<div class=""><br class=""></div><div class="">I’ve been running squid-3.4.x in tproxy mode with ssl_bump server-first for some time and has been working great.</div><div class=""><br class=""></div><div class="">I have just moved to 3.5.3 to use peek to overcome some issues with sites that require SNI to serve up the correct certificate. In most cases this is work well however I seem to have an issue that (so far) only effects the Safari web browser with certain sites. As an example, <a href="https://twitter.com" class="">https://twitter.com</a> and <a href="https://www.openssl.org" class="">https://www.openssl.org</a> will result in a Safari error page “can’t establish a secure connection with the server”. There is also a correlating entry in the cache.log 'Error negotiating SSL connection on FD 45: error:140A1175:SSL routines:SSL_BYTES_TO_CIPHER_LIST:inappropriate fallback (1/-1)’</div><div class=""><br class=""></div><div class="">Google shows some hits for this SSL error on other products, mostly nginx, but nothing suggesting in those posting seems to have worked for me (settings specific SSL/TLS versions and ciphers)</div><div class=""><br class=""></div><div class="">If use a different browser the above mentioned sites work as expected. If continue to bump ‘server-first’ for these problem sites they also load as expected in Safari however I’m hoping to move to peek exclusively to overcome SNI issues.</div><div class=""><br class=""></div><div class="">Anyone experiencing the same thing or have any suggestions? ssl_bump related config below:</div><div class=""><br class=""></div><div class=""><div class="">https_port 8090 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl-bump.cer key=/etc/squid/ssl-bump.key</div><div class="">acl p8090 myportname 8090</div><div class="">acl step1 at_step SslBump1</div><div class="">#acl broken_peek dstdomain .<a href="http://twttr.com" class="">twttr.com</a> .<a href="http://twitter.com" class="">twitter.com</a> .<a href="http://facebook.com" class="">facebook.com</a> .<a href="http://openssl.org" class="">openssl.org</a></div><div class="">#ssl_bump server-first broken_peek</div><div class="">ssl_bump peek step1</div><div class="">ssl_bump bump p8090</div></div><div class=""><br class=""></div><div class="">Thanks!</div><div class=""><br class=""></div><div class="">Michael</div><div class=""><br class=""></div><div class=""><br class=""></div></body></html>