If you're accessing Squid as a transparent proxy, you can add in a firewall rule to exclude the IP addresses of Mozilla's servers from being redirected to Squid. If you're using Squid as a direct proxy, you can add an SSL bump exclusion in your squid.conf like so: acl sslbump_exclusions dstdomain domain.you.want.to.exclude ssl_bump none sslbump_exclusions This will prevent Squid from attempting to decrypt the traffic after the initial CONNECT request. Note that this assumes the clients using Squid will send the domain in the CONNECT requests - if you want to cover the clients that don't do this, use the 'dst' acl type instead: acl sslbump_exclusions_ip dst 1.2.3.4 ssl_bump none sslbump_exclusions_ip Nathan. -- Nathan Hoad Software Developer www.getoffmalawn.com On Tue, Jan 7, 2014 at 11:59 AM, Roman Gelfand <rgelfand2@xxxxxxxxx> wrote: > I have an ssl bump setup with ssl_bump server-first all. > > When firefox is attempting an update, end user gets error "something > is trying to trick firefox into accepting an insecure update". > > From what I gathered, unless I am wrong, firefox doesn't like when > certificate changes in the middle. > > In any case, is there a way to deal with this either specifically > bypassing ssl bump or something else? > > Thanks in advance
