Thanks for your reply Amos. I will explain a bit more of my setup in the hope it clarifies a few of the issues. I have installed the certificate portion of squids key/cert into the trusted root store of all the devices concerned all clients see the "server's" certificate as being signed by squid's private key not the origin servers. I have the following line in squid.conf to specifically stop the use of SSL sslproxy_options NO_SSLv2 NO_SSLv3 SINGLE_DH_USE If I navigate to the internal test site I have just created that has a self signed certificate the self signed cert gets passed through to the client for them to make their own decision If there is no easy solution I will just avoid IE, which I won't be too upset about. Thanks, Oliver ---------------------------------------- > To: squid-users@xxxxxxxxxxxxxxxxxxxxx > From: squid3@xxxxxxxxxxxxx > Date: Fri, 28 Aug 2015 23:28:53 +1200 > Subject: Re: Internet Explorer error with SSL bumping > > On 28/08/2015 9:58 p.m., Oliver Webb wrote: >> I have transparent SSL bumping working perfectly in Chrome and >> Safari > (iOS and Windows 7) and Internet Explorer *on Windows Phone*, and by > perfectly I mean no certificate warnings of any description for any site > everything just behaves normally (apart from the sites certificate being > signed by me.) However in Internet Explorer 11 on Windows 7 I get the > following message for all secure bumped sites (secure sites like ebay > for example load fine because I have configured not to be bumped and > also unsecure sites load fine as well) > >> This page can’t be displayed >> >> Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to >> https://google.co.uk again. If this error persists, contact your site administrator. >> >> I just wondered if anyone had any bright ideas as to what might be up. > > The complete lack of warnings is a BAD sign. It means the certificate > mimic feature is probably is not working at all. > > Mimic is supposed to pass certificate flaws in the server certs through > to the client/browser so all the security go/die decisions can be made > by the end-users own preference confg. > > > The error message you show implies that you have configured your proxy > for SSLv3-only or SSLv2-only. At least on the listening ports the > browser is connecting to. Though since it was displayed by a browser we > can't be 100% sure it contains truth (SSL-bump is feeding some bold lies > to it). > > > PS. If not 3.5.7 or a later snapshot please try an upgrade. > > PPS. I'm told people are having pain from OpenSSL 0.9.8 apparently > trying to do TLS/1.0 in a way Squid does not handle properly right now. > If that library version is installed on the client you may need to wait > for a fix the guys are working on as I type this (ETA unknown). Though > if you can get the client to upgrade to a more current and secure > OpenSSL that would be even better. > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
