Hello there, Thanks for your your interest. The versions we use are:
Squid Cache: Version 3.4.10 OpenSSL 1.0.2h 3 May 2016 ---------- Configuration we use for https bumping: always_direct allow all ssl_bump none localhost ssl_bump server-first all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER On Sun, Jul 10, 2016 at 5:12 PM, Eliezer Croitoru <elie...@ngtech.co.il> wrote: > Hey, > > > > What version of squid is provided on pfsense and what version are you > using? > > > > Eliezer > > > > ---- > > Eliezer Croitoru <http://ngtech.co.il/lmgtfy/> > Linux System Administrator > Mobile: +972-5-28704261 > Email: elie...@ngtech.co.il > > > > *From:* squid-users [mailto:squid-users-boun...@lists.squid-cache.org] *On > Behalf Of *Yi?itcan U?UM > *Sent:* Sunday, July 10, 2016 3:49 PM > *To:* squid-users@lists.squid-cache.org > *Subject:* [squid-users] HTTPS bump doesn't work with websites that > require SNI > > > > Hello there. We're using pfsense and squid-proxy to bump https connections > between some of our machines and www. The setup seems to works fine for > most of the https sites, but it doesn't work for the others. > > > > One example to this sites is "docs.docker.com". Even though we can > connect to "docker.com", we can't connect to "docs.docker.com". > > > > The error we get is: > > (92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE) > > Handshake with SSL server failed: error:14077410:SSL > routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure > > Upon further investigation we found out that this happens because some > sites require SNI to supply correct SSL certificate. > > You can test this out with: > > ------------------------------- > > openssl s_client -connect docs.docker.com:443 -> ERROR > > 140612823746464:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 > alert handshake failure:s23_clnt.c:744: > > ------------------------------- > > openssl s_client -connect docs.docker.com:443 -servername docs.docker.com -> > Works > > -------------------------------- > > Squid seems to make https request without the SNI. How can we configure > Squid to use SNI? Thanks. >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users