On 16/10/15 13:08, Dan Charlesworth wrote: > ORLY > > I seem to recall this happening on 10.10 as well, but it could be an El Capitan thing. Do you mind reminding me of your squid config Jason? With my config I trying to "aggressively" figure out if the transaction is safely going to be bump-able. I'm more willing to throw away (ie splice) things I'm unsure about than risk a client seeing an error. But for the websites you see problems with, I see nice clean bump-ing http_port 3128 ssl-bump cert=/etc/squid/squidCA.cert generate-host-certificates=on dynamic_cert_mem_cache_size=256MB options=ALL acl DiscoverSNIHost at_step SslBump1 ssl_bump peek DiscoverSNIHost #do we have a SNI? If not, it's not TLS acl SNIpresent ssl::server_name_regex .* #this file contains https sites that we do not intercept - such as banks (because we want the data transfers to remain private) #and accounts.google.com (because Chrome uses cert pinning for that domain) # in general you will need to add all sites that involve cert pinning acl NoSSLIntercept ssl::server_name_regex -i "/etc/squid/acl-NoSSLIntercept.txt" #this external_acl process will sanity-check HTTPS transactions that haven't being spliced yet #to ensure only the correct ones end up being bumped external_acl_type checkIfHTTPS children-max=20 concurrency=20 negative_ttl=3600 ttl=3600 grace=90 %SRC %DST %PORT %ssl::>sni /usr/local/bin/confirm_https.pl acl is_ssl external checkIfHTTPS ssl_bump splice !SNIpresent ssl_bump splice NoSSLIntercept ssl_bump bump is_ssl -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
