[squid-users] Safari 9 vs. SSL Bump

Dan Charlesworth dan at getbusi.com
Fri Oct 16 04:59:41 UTC 2015


So after all that, it was my choice of keychain that was the problem. Every HTTPS site works with the CA cert in the System keychain as opposed to login.

I’ll put that down to OS X probably using some system-level processes to do some of Safari’s work, or something.

Thanks Alex, Amos, and Jason for your help on this.

🍻 🙇 💚 

> On 16 Oct 2015, at 11:55 AM, Dan Charlesworth <dan at getbusi.com> wrote:
> 
> Great, thanks. Don’t know why I didn’t think of it before but I’ll try elevating it from Login -> System keychain and see what happens.
> 
>> On 16 Oct 2015, at 11:51 AM, Jason Haar <Jason_Haar at trimble.com> wrote:
>> 
>> On 16/10/15 13:34, Dan Charlesworth wrote:
>>> Thanks!
>>> 
>>> So ignoring the “bumpable” helper check, it’s effectively peeking at step1 and then bumping it like my config’s doing.
>>> 
>>> I wonder what else could be differentiating it. Is your proxy CA just installed in the Login keychain?
>> 
>> Nope - did it "properly" at the OS level. Get a PEM version of your
>> squidCA pubkey and as root do
>> 
>> security add-trusted-cert -d -r trustRoot -p ssl -p smime -p IPSec -p
>> eap -p basic /path/squidCA.pem > /dev/null 2>&1 || true
>> certtool i "/path/squidCA.pem"   k=/System/Library/Keychains/X509Anchors
>>> /dev/null 2>&1 || true
>> 
>> The "ipsec/smime" stuff is actually not needed - but I don't care ;-) I
>> went for the carpet bombing approach for the Mac (which I don't know well)
>> 
>> -- 
>> Cheers
>> 
>> Jason Haar
>> Corporate Information Security Manager, Trimble Navigation Ltd.
>> Phone: +1 408 481 8171
>> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>> 
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> 



More information about the squid-users mailing list