Thanks for the reply. I'm aware of pinning, but this problem is happening on small and/or insignificant sites that are certainly not pinned, as well as the larger sites. In addition, our clients are not getting errors due to pinning on our existing proxy setup, so we're doing something correctly there. Unfortunately, the squid version that I have is something that I can't change, because it's supplied on a hardware appliance by our vendor. I can try to get them to update it, but I don't think I will get very far. As it is, they have done some extensive custom configuration for us, specifically relating to the ability to use both HTTP and HTTPS traffic over the same port while retaining full SSL interception capabilities. The annoying thing is that none of the browsers I am using will give me any useful information as to why they are hating my setup. I don't really know the best way to validate the output of my proxy server. Openssl would seem like a good place to start - is there any way to tell it to use a proxy when I want to try using the s_client feature and see how the certificate validates? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Existing-root-certificate-not-working-with-SSL-Bump-squid-3-3-10-tp4668515p4668526.html Sent from the Squid - Users mailing list archive at Nabble.com. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
