Hi there Weird. sslbump seems to be working well, even intercepts twitter.com fine under FF-33 (with it's pinning support, due to security.cert_pinning.enforcement_level=1) However, facebook.com generates a "sec_error_inadequate_key_usage" error. I cranked up debugging and see this. As you can see, the proxy has ipv6 support and is actually intercepting google.com over ipv6 successfully, so I don't think it has anything to do with networking. I can use "curl -v" to confirm it successfully downloaded the frontpage over the same IPv6 address too. I also checked the ssl_db/certs dir and removed the facebook certs and restarted - didn't help If I look at the real www.facebook.com cert, I see X509v3 Subject Alternative Name: DNS:*.facebook.com, DNS:facebook.com, DNS:*.fbsbx.com, DNS:*.fbcdn.net, DNS:*.xx.fbcdn.net, DNS:*.xy.fbcdn.net, DNS:fb.com, DNS:*.fb.com X509v3 Key Usage: critical Digital Signature, Key Agreement X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication however, the squid-created cert, shows X509v3 Subject Alternative Name: DNS:*.facebook.com, DNS:facebook.com, DNS:*.fbsbx.com, DNS:*.fbcdn.net, DNS:*.xx.fbcdn.net, DNS:*.xy.fbcdn.net, DNS:fb.com, DNS:*.fb.com X509v3 Key Usage: critical . X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication So squid is failing to set "X509v3 Key Usage" correctly? Jason 1413438531.233 2192 127.0.0.1 TAG_NONE/200 0 CONNECT www.facebook.com:443 - HIER_DIRECT/2a03:2880:20:4f06:face:b00c:0:1 - [User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0\r\nProxy-Connection: keep-alive\r\nConnection: keep-alive\r\nHost: www.facebook.com:443\r\n] [] generates the following... 2014/10/16 18:40:16.194 kid1| dns_internal.cc(1092) idnsCallback: Merging DNS results www.facebook.com A has 2 RR, AAAA has 2 RR 2014/10/16 18:40:16.194 kid1| ipcache.cc(498) ipcacheParse: ipcacheParse: 4 answers for 'www.facebook.com' 2014/10/16 18:40:16.194 kid1| ipcache.cc(567) ipcacheParse: ipcacheParse: www.facebook.com #0 [2a03:2880:20:4f06:face:b00c:0:1] 2014/10/16 18:40:16.194 kid1| ipcache.cc(556) ipcacheParse: ipcacheParse: www.facebook.com #1 173.252.74.22 2014/10/16 18:40:16.194 kid1| peer_select.cc(286) peerSelectDnsPaths: Found sources for 'www.facebook.com:443' 2014/10/16 18:40:16.194 kid1| FwdState.cc(373) startConnectionOrFail: www.facebook.com:443 2014/10/16 18:40:16.194 kid1| FwdState.cc(1082) connectStart: fwdConnectStart: www.facebook.com:443 2014/10/16 18:40:16.194 kid1| pconn.cc(340) key: PconnPool::key(local=[::] remote=[2a03:2880:20:4f06:face:b00c:0:1]:443 flags=1, www.facebook.com) is {[2a03:2880:20:4f06:face:b00c:0:1]:443/www.facebook.com} 2014/10/16 18:40:16.194 kid1| pconn.cc(436) pop: lookup for key {[2a03:2880:20:4f06:face:b00c:0:1]:443/www.facebook.com} failed. 2014/10/16 18:40:16.194 kid1| peer_select.cc(94) ~ps_state: www.facebook.com:443 2014/10/16 18:40:16.194 kid1| fd.cc(221) fd_open: fd_open() FD 33 www.facebook.com 2014/10/16 18:40:16.426 kid1| FwdState.cc(1029) connectDone: local=[2001:470:828b:0:c460:6ed8:7e00:e8f4]:52765 remote=[2a03:2880:20:4f06:face:b00c:0:1]:443 FD 33 flags=1: 'www.facebook.com:443' 2014/10/16 18:40:17.698 kid1| support.cc(260) ssl_verify_cb: SSL Certificate signature OK: /C=US/ST=CA/L=Menlo Park/O=Facebook, Inc./CN=*.facebook.com 2014/10/16 18:40:17.698 kid1| support.cc(260) ssl_verify_cb: SSL Certificate signature OK: /C=US/ST=CA/L=Menlo Park/O=Facebook, Inc./CN=*.facebook.com 2014/10/16 18:40:17.698 kid1| support.cc(260) ssl_verify_cb: SSL Certificate signature OK: /C=US/ST=CA/L=Menlo Park/O=Facebook, Inc./CN=*.facebook.com 2014/10/16 18:40:17.698 kid1| support.cc(214) check_domain: Verifying server domain www.facebook.com to certificate name/subjectAltName *.facebook.com 2014/10/16 18:40:17.950 kid1| FwdState.cc(1218) dispatch: local=127.0.0.1:3128 remote=127.0.0.1:49230 FD 24 flags=1: Fetching 'CONNECT www.facebook.com:443' 2014/10/16 18:40:17.950 kid1| FwdState.cc(433) unregister: www.facebook.com:443 2014/10/16 18:40:17.950 kid1| FwdState.cc(458) complete: www.facebook.com:443 2014/10/16 18:40:17.950 kid1| FwdState.cc(1355) reforward: www.facebook.com:443? 2014/10/16 18:40:17.950 kid1| client_side.cc(4045) httpsPeeked: HTTPS server CN: *.facebook.com bumped: local=[2001:470:828b:0:c460:6ed8:7e00:e8f4]:52765 remote=[2a03:2880:20:4f06:face:b00c:0:1]:443 FD 33 flags=1 2014/10/16 18:40:17.951 kid1| client_side.cc(4049) httpsPeeked: bumped HTTPS server: www.facebook.com 2014/10/16 18:40:17.951 kid1| client_side_request.cc(265) ~ClientHttpRequest: httpRequestFree: www.facebook.com:443 2014/10/16 18:40:17.951 kid1| client_side.cc(617) logRequest: logging half-baked transaction: www.facebook.com:443 2014/10/16 18:40:17.951 kid1| client_side.cc(621) logRequest: clientLogRequest: al.url='www.facebook.com:443' 2014/10/16 18:40:17.951 kid1| HttpHeader.cc(1531) ~HttpHeaderEntry: destroying entry 0x30c5fd0: 'Host: www.facebook.com:443' 2014/10/16 18:40:17.951 kid1| client_side.cc(3899) getSslContextStart: Finding SSL certificate for /C=US/ST=CA/L=Menlo Park/O=Facebook, Inc./CN=*.facebook.com+Sign=signTrusted in cache 2014/10/16 18:40:17.951 kid1| client_side.cc(3904) getSslContextStart: SSL certificate for /C=US/ST=CA/L=Menlo Park/O=Facebook, Inc./CN=*.facebook.com+Sign=signTrusted have found in cache 2014/10/16 18:40:17.952 kid1| client_side.cc(3906) getSslContextStart: Cached SSL certificate for /C=US/ST=CA/L=Menlo Park/O=Facebook, Inc./CN=*.facebook.com+Sign=signTrusted is valid 2014/10/16 18:40:17.956 kid1| ctx: enter level 0: 'www.facebook.com:443' 2014/10/16 18:40:17.956 kid1| HttpHeader.cc(1531) ~HttpHeaderEntry: destroying entry 0x30c0810: 'Host: www.facebook.com:443' -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users