-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 9/01/2015 2:19 a.m., Mr J Potter wrote: > Hi all, > > I have a weird problem connecting to one specific domain: > > https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.0.5/es5-shim.min.js > > this site works fine if I connect directly, but if I go via my > squid instance, it fails (see below). > > I have squid 3.3.11 with optional SSL-bump set up and working fine > for the most part, but it will not allow me onto this one domain. > Its not in any filtered list (I've connected out SSLBump and all > filtering/redirecting on my test server). > > It says unavailable to establish SSL connection... one point is > when I connect to this site via chrome it tells me the encryption > method is outdated - is squid refusing to connect due to this? More likely Chrome is complaining about Squid bumping in its way. The bumped certs created by 3.3 use an older easily bumped format. Our standing recommendation for bumping is to always use the latest Squid release if you encounter problems. SSL-bump is effectively going through an arms race with HTTPS - each Squid series has different capabilities to get around HTTPS protections that "suddenly" become popular as the previous series SSL-bump feature began to be used. > > thanks in advance for any help. > > root@dirvish:~# wget > https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.0.5/es5-shim.min.js > -dv Squidclient gives me this: Resolving cdnjs.cloudflare.com ... Connecting... cdnjs.cloudflare.com (198.41.215.184:443) Connected to: cdnjs.cloudflare.com (198.41.215.184:443) X.509 TLS handshake ... VERIFY DATUM: The certificate is NOT trusted. The certificate issuer is unknown. WARNING: Insecure Connection TLS Session info: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-GCM) The certificate issues being unknown is a problem. The modern browsers all go into a major panic over that kind of thing. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUrtNvAAoJELJo5wb/XPRjUi8H/1qSmezU5kWr0qV4N38I7DMA aPlZphIi/vwE91b23nqNok+YC3e31owrNh/C/L8q7OkIynhQ0UtVuJOMrXl8wVSF tfMtbIXDBPOmoLDlYrZwXDRgtooENawHce70hnD0MjvsWUtfpudBhaXx8zumbf1w EYxUc80pTiqc2qO1DShiaQmRFrW/7SEwxNixaCY1hUHyMFFeK4KUd4bbBNC8f0Wu djmeEqcd3HbMJyIlgm6EA0o1LGlMqPytcxI4ZN2aiiXYlEslew2kAW4euVhG4zAK CZGzhkA4kBtsqvgE2Tx5vJPLXrk+peALJa479Coq6fSUuxsZPjtzdkygazLSXQU= =jiwY -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
