Search squid archive

Re: iOS 8 and ssl_bump: Anyone working?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks for your input.  After further testing (which I thought I already tested and determined was not the case...), it looks like it fails any time a certificate is "broken" when using a proxy server even with ssl bumping turned off.  If I use a host file to make the cert name not match, I get the same error.  Browse to a site with a set signed cert, same error.  So this seems to be a little more generic of an issue than I suspected.  I appreciate your feedback.  We'll re-engage Apple with the new details and see how it goes.

On Thu, Oct 30, 2014 at 9:12 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 31/10/2014 8:30 a.m., inetjunkmail wrote:
> We have an explicit squid proxy running ssl bump that works fine
> for iOS 7 but Safari on iOS 8 gives an error stating that "There
> was a problem communicating with the secure web proxy server
> (HTTPS)."  when browsing to an SSL site that is bumped.
>
> We can wipe an iOS 7 device, add the proxy CA to the trust store,
> and successfully browse to an intercepted site.  Doing the same
> process with iOS 8 reveals the error.
>
> The error has been reproduced on two other intercepting proxy
> solutions.
>
> Accessing SSL sites directly or non-intercepted is fine even if
> the certificate is self signed or untrusted in any way.
>
> We've tried contacting Apple and they are pressing hard to close
> the case saying that they don't support interception; contact the
> vendor.  The fact that it works fine with iOS 7, and the same error
> is reproducible with 3 separate SSL interception proxies suggests
> to me it's on them.


Perhapse it is a result of the arms-race happening in the SSL/TLS
area. Try upgrading to the latest Squid-3.5 and see if the bumping
features there help. We know for certain that the ssl-bump features in
3.2 and 3.3 are useless with a growing number of websites using HSTS
and "cert-pinning".


But I dont think it is that clearly "on them". Interception *is* an
attack on your users, and illegal in a lot of cases as well. It is
reasonable for them not to support it.


>
> Is anyone else running into this?  Is anyone else working?

You are the first person noticably involved with MacOS / iOS in any
way to post anything here in a long while. So unless you get a direct
the answer assume it is "none of us use iOS like this".

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUUuIDAAoJELJo5wb/XPRjSQ4H/iqQu8RtxDTnrx1o9TnCdNDm
g806kzuJ6h1k63oG7MaVlWu0FMkqw0XL1eq1dzqj9gT/qq9xQ08vDh6+TS9l8jn6
oOvUef/5i5FhZ0X7Ixa1d9JNzFLwVeZdrUwwxW3m0cPFMDHonxnJ1vYYk8F7oBlQ
6c1/4teZ4U42JDTKGtTl+rI3HimrcSSnNuMYtyZ5uVooWK3nZcUnGDPjEr0iZXtM
qrQo1H/ZgaVfa0uaBKb2e5sXvBcwtec1kP++v34WY4gIVFzvfor4slMAXhmg3XBV
zBD6sn66Uy6GoAknspvh4N4eQoujdF6GKp44xUk1RvdPb/7We0DwaiJh8iry30Y=
=2lH3
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux