On 7/04/2014 4:58 p.m., Dan Charlesworth wrote: > This somewhat vague error comes up with relative frequency from iOS > apps when browsing via our Squid 3.4.4 intercepting proxy which is > performing server-first SSL Bumping. > > The requests in question don’t make it as far as the access log, but > with debug_options 28,3 26,3, the dst IP can be identified and > allowed through with ssl_bump none. Aha. So they hang? all requests that start should be logged. > > The device trusts Squid's CA, but apparently that’s not enough for > the Twitter iOS app and certain Akamai requests that App Store > updates use. > > Can anyone suggest how one might debug this further? Or just an idea > of why the client might be closing the SSL connection in certain > cases? Is there any SNI or NPN or ALPN extensions on those requests? It could be the clients are using new non-HTTP protocols whih cannot be bumped. Amos
