Hey y’all Finally got 3.5.2 running. I was under the impression that using server-first SSL bump would still be compatible, despite all the Peek & Splice changes, but apparently not. Hopefully someone can explain what might be going wrong here ... Using the same SSL Bump config that we used for 3.4, we now seeing this happen: 19/Mar/2015-16:21:32 22 d4:f4:6f:71:90:e6 10.0.1.71 TCP_DENIED 200 0 CONNECT 94.31.29.230:443 - server-first - HIER_NONE/- - - Instead of this: 19/Mar/2015-14:42:04 736 d4:f4:6f:71:90:e6 10.0.1.71 TCP_MISS 200 96913 GET https://code.jquery.com/jquery-1.11.0.min.js - server-first Mozilla/5.0%20(iPhone;%20CPU%20iPhone%20OS%208_2%20like%20Mac%20OS%20X)%20AppleWebKit/600.1.4%20(KHTML,%20like%20Gecko)%20Mobile/12D508 ORIGINAL_DST/94.31.29.53 application/x-_javascript_ - This request happens in a little splash page which is designed to test if squid’s CA cert is installed on the client and redirect them to some instructions if it’s not. This definitely isn’t happening for all intercepted HTTPS requests, just this (particularly important) one and some others. SSL Bump config: ssl_bump none localhost ssl_bump server-first all sslproxy_cert_error deny all sslcrtd_program /usr/bin/squid_ssl_crtd -s /path/to/squid/ssl_db -M 4MB sslcrtd_children 32 startup=5 idle=1 DNAT intercepting port config: https_port 3130 intercept name=3130 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/path/to/squid/proxy-cert.cer key=/path/to/squid/proxy-key.key Thanks! |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users