Alex, et al, Thanks very much for the suggestions. The tip-off that HSTS issues may actually be a symptom, not the problem, was key. Turns out I did not properly install my self-signed root certificate into my laptop. Once I fixed that, everything started working. Thanks again for the help! -Dave On Wed, Jul 9, 2014 at 1:59 PM, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > On 07/08/2014 08:17 PM, David Marcos wrote: > >> b. HTTP Strict Transport Security (HSTS): Some pages flat-out >> reject any SSL bumping due to HSTS. I am using Chrome, which I'm sure >> aggravates the issue. Is there a way to configure Squid to get around >> HSTS? (Yes, I know this may be a dumb question given how HSTS works, >> but would appreciate any insight.) > > > HSTS is an active area of research so I do not have final answers for > you, but my current understanding is: > > a) HSTS itself is more-or-less compatible with SslBump. If you can > successfully convince an HTTP client to trust the Root certificate used > by Squid, then sites visited by that client will not violate any > standard HSTS rules. > > b) Bumping errors unrelated to HSTS may be misinterpreted as > HSTS-related errors because the browser says "I cannot render that site > because of HSTS". What the browser means, in some cases, is that "I do > not trust that site [because there was a bumping problem] and HSTS rules > prevent me from showing you the sites I do not trust". In this > particular case, HSTS is mostly irrelevant. Once you fix the true cause > of distrust and, everything should work. > > c) If a browser or browser plugin "pins" a certificate to a site, it > will not trust any other certificate for that site, possibly resulting > in HSTS errors. See item (b) above for why these are not actually HSTS > errors. In this case, there may be no solution -- you cannot force the > browser to unpin the certificate if that pinning was hard-coded. > > > Corrections welcomed! > > > HTH, > > Alex. > -- ___________________________________________________________ David J. Marcos davem.business@xxxxxxxxx
