I thought that fixed it for a second … But in reality ssl_bump peek step1 & ssl_bump bump step3 is actually splicing everything, it seems.
Any other advice? :-) > On 14 Oct 2015, at 1:51 PM, Amos Jeffries <squ...@treenet.co.nz> wrote: > > On 14/10/2015 1:13 p.m., Dan Charlesworth wrote: >> Throwing this out to the list in case anyone else might be trying to get SSL >> Bump to work with the latest version of Safari. >> >> Every other browser on OS X (and iOS) is happy with bumping for pretty much >> all HTTPS sites, so long as the proxy’s CA is trusted. >> >> However Safari throws generic “secure connection couldn’t be established” >> errors for many popular HTTPS sites in including: >> - wikipedia.org >> - mail.google.com >> - twitter.com >> - github.com >> >> But quite a number of others work, such as youtube.com. >> >> This error gets logged to the system whenever it occurs: >> com.apple.WebKit.Networking: NSURLSession/NSURLConnection HTTP load failed >> (kCFStreamErrorDomainSSL, -9802) >> >> Apparently this is related to Apple’s new “App Transport Security” >> protections, in particular, the fact that “the server doesn’t support >> forward secrecy”. Even though it doesn’t seem to be affecting mobile Safari >> on iOS 9 at all. >> >> It’s also notable that Safari seems perfectly happy with legacy server-first >> SSL bumping. >> >> I’m using Squid 3.5.10 and this is my current config: >> https://gist.github.com/djch/9b883580c6ee84f31cd1 >> >> Anyone have any idea what I can try? > > You can try bump at step3 (roughly equivalent to server-first) instead > of step2 (aka client-first). > > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
