[squid-users] iOS 8 and ssl_bump: Anyone working?

Amos Jeffries squid3 at treenet.co.nz
Fri Oct 31 01:12:35 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 31/10/2014 8:30 a.m., inetjunkmail wrote:
> We have an explicit squid proxy running ssl bump that works fine
> for iOS 7 but Safari on iOS 8 gives an error stating that "There
> was a problem communicating with the secure web proxy server
> (HTTPS)."  when browsing to an SSL site that is bumped.
> 
> We can wipe an iOS 7 device, add the proxy CA to the trust store,
> and successfully browse to an intercepted site.  Doing the same
> process with iOS 8 reveals the error.
> 
> The error has been reproduced on two other intercepting proxy
> solutions.
> 
> Accessing SSL sites directly or non-intercepted is fine even if
> the certificate is self signed or untrusted in any way.
> 
> We've tried contacting Apple and they are pressing hard to close
> the case saying that they don't support interception; contact the
> vendor.  The fact that it works fine with iOS 7, and the same error
> is reproducible with 3 separate SSL interception proxies suggests
> to me it's on them.


Perhapse it is a result of the arms-race happening in the SSL/TLS
area. Try upgrading to the latest Squid-3.5 and see if the bumping
features there help. We know for certain that the ssl-bump features in
3.2 and 3.3 are useless with a growing number of websites using HSTS
and "cert-pinning".


But I dont think it is that clearly "on them". Interception *is* an
attack on your users, and illegal in a lot of cases as well. It is
reasonable for them not to support it.


> 
> Is anyone else running into this?  Is anyone else working?

You are the first person noticably involved with MacOS / iOS in any
way to post anything here in a long while. So unless you get a direct
the answer assume it is "none of us use iOS like this".

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUUuIDAAoJELJo5wb/XPRjSQ4H/iqQu8RtxDTnrx1o9TnCdNDm
g806kzuJ6h1k63oG7MaVlWu0FMkqw0XL1eq1dzqj9gT/qq9xQ08vDh6+TS9l8jn6
oOvUef/5i5FhZ0X7Ixa1d9JNzFLwVeZdrUwwxW3m0cPFMDHonxnJ1vYYk8F7oBlQ
6c1/4teZ4U42JDTKGtTl+rI3HimrcSSnNuMYtyZ5uVooWK3nZcUnGDPjEr0iZXtM
qrQo1H/ZgaVfa0uaBKb2e5sXvBcwtec1kP++v34WY4gIVFzvfor4slMAXhmg3XBV
zBD6sn66Uy6GoAknspvh4N4eQoujdF6GKp44xUk1RvdPb/7We0DwaiJh8iry30Y=
=2lH3
-----END PGP SIGNATURE-----


More information about the squid-users mailing list