-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 31/10/2014 8:30 a.m., inetjunkmail wrote: > We have an explicit squid proxy running ssl bump that works fine > for iOS 7 but Safari on iOS 8 gives an error stating that "There > was a problem communicating with the secure web proxy server > (HTTPS)." when browsing to an SSL site that is bumped. > > We can wipe an iOS 7 device, add the proxy CA to the trust store, > and successfully browse to an intercepted site. Doing the same > process with iOS 8 reveals the error. > > The error has been reproduced on two other intercepting proxy > solutions. > > Accessing SSL sites directly or non-intercepted is fine even if > the certificate is self signed or untrusted in any way. > > We've tried contacting Apple and they are pressing hard to close > the case saying that they don't support interception; contact the > vendor. The fact that it works fine with iOS 7, and the same error > is reproducible with 3 separate SSL interception proxies suggests > to me it's on them. Perhapse it is a result of the arms-race happening in the SSL/TLS area. Try upgrading to the latest Squid-3.5 and see if the bumping features there help. We know for certain that the ssl-bump features in 3.2 and 3.3 are useless with a growing number of websites using HSTS and "cert-pinning". But I dont think it is that clearly "on them". Interception *is* an attack on your users, and illegal in a lot of cases as well. It is reasonable for them not to support it. > > Is anyone else running into this? Is anyone else working? You are the first person noticably involved with MacOS / iOS in any way to post anything here in a long while. So unless you get a direct the answer assume it is "none of us use iOS like this". Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUUuIDAAoJELJo5wb/XPRjSQ4H/iqQu8RtxDTnrx1o9TnCdNDm g806kzuJ6h1k63oG7MaVlWu0FMkqw0XL1eq1dzqj9gT/qq9xQ08vDh6+TS9l8jn6 oOvUef/5i5FhZ0X7Ixa1d9JNzFLwVeZdrUwwxW3m0cPFMDHonxnJ1vYYk8F7oBlQ 6c1/4teZ4U42JDTKGtTl+rI3HimrcSSnNuMYtyZ5uVooWK3nZcUnGDPjEr0iZXtM qrQo1H/ZgaVfa0uaBKb2e5sXvBcwtec1kP++v34WY4gIVFzvfor4slMAXhmg3XBV zBD6sn66Uy6GoAknspvh4N4eQoujdF6GKp44xUk1RvdPb/7We0DwaiJh8iry30Y= =2lH3 -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
