[squid-users] Squid works with ssl bump in intercept mode and root certificate in browser, but apps does not work
arun.xavier
innovature.arun.xavier at gmail.com
Thu May 18 10:26:22 UTC 2017
I have configured squid with ssl-bump (intercept mode) and it works as
expected while accessing secure sites from browsers.
What I have done so far.
- Configured squid.
- created a root& intermediate certificate for dynamic cert generation in
squid.
installed the same root certificate in mobile device(iphone 6 -iOS-10).
- Every website works on chrome/safari.
But apps like facebook,twitter are not working(showing network error).
When checking cache log of squid, I found the below log.
/Error negotiating SSL connection on FD 12: error:14094418:SSL
routines:ssl3_read_bytes:tlsv1 alert unknown ca (1/0)
/
It looks like initial CONNECT/Handshake is not working.
what I have changed in squid.conf
-----------------------------------------------------------------
acl localnet src 172.16.0.0/12
acl localnet src fe80::/10
acl allow localnet
ssl_bump bump all
always_direct allow all
http_port localhost:3128
http_port localhost:3129 intercept
https_port localhost:3130 intercept ssl-bump generate-host-certificates=on
cert=/etc/squid/cert/cert.pem
key=/etc/squid/cert/key.pem
strip_query_terms off
----------------------------------------------------------------
Any idea how to fix this? or where to check? What might be my mistake ?
PS:
I use squid to get logs of all internet traffic from mobile devices.
Overview of my intented system is like this:
SmartPhone---->VPN--->Squid--->Internet
--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-works-with-ssl-bump-in-intercept-mode-and-root-certificate-in-browser-but-apps-does-not-work-tp4682451.html
Sent from the Squid - Users mailing list archive at Nabble.com.
More information about the squid-users
mailing list