Search squid archive

Re: Safari 9 vs. SSL Bump

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 14/10/2015 1:13 p.m., Dan Charlesworth wrote:
> Throwing this out to the list in case anyone else might be trying to get SSL Bump to work with the latest version of Safari.
> 
> Every other browser on OS X (and iOS) is happy with bumping for pretty much all HTTPS sites, so long as the proxy’s CA is trusted. 
> 
> However Safari throws generic “secure connection couldn’t be established” errors for many popular HTTPS sites in including:
> - wikipedia.org
> - mail.google.com
> - twitter.com
> - github.com
> 
> But quite a number of others work, such as youtube.com.
> 
> This error gets logged to the system whenever it occurs:
> com.apple.WebKit.Networking: NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
> 
> Apparently this is related to Apple’s new “App Transport Security” protections, in particular, the fact that “the server doesn’t support forward secrecy”. Even though it doesn’t seem to be affecting mobile Safari on iOS 9 at all.
> 
> It’s also notable that Safari seems perfectly happy with legacy server-first SSL bumping. 
> 
> I’m using Squid 3.5.10 and this is my current config: https://gist.github.com/djch/9b883580c6ee84f31cd1
> 
> Anyone have any idea what I can try?

You can try bump at step3 (roughly equivalent to server-first) instead
of step2 (aka client-first).


Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux