Hi Amos, thanks for confirmation, but I'm not sure if my upstream proxy support TLS/SSL in that way as you said, but we can use it to proxy both http and https request, does it mean it support TLS/SSL? To be honest, I'm not familiar with principle of http/https proxy at all, for solving this problem, I read some post about them, http proxy is pretty straight-forward, but for https proxy, I'm really confused with its explanation from various posts. if possible, could you help to answer my some basic questions about it? thanks in advance. 1 let's talk scenario about explicitly using https proxy on client side in first: it's said that client connects to the proxy and makes a CONNECT request to setup TCP tunnel between client and server, the https proxy blindly forwards data in both directions without knowing anything about the contents. The negotiation of the SSL connection happens over this tunnel, and the subsequent flow of requests and responses are completely opaque to the proxy. it's easy to understand, but it seems there is no need for proxy to hack https, so why some Man-In-The-Middle proxy like squid make great effort to intercept these https traffic? what kind of user case will use this intercept function? 2 for transparent mode, as I understand(please correct me if I'm not right), it's because that destination hostname/IP is omitted in the CONNECT request, so the routing mechanism that has performed the redirection keeps track of the original destination, transparent proxy will fetch the original destination from routing mechanism, then perform the same process as explicitly using proxy above. so for case in my scenario, it seems there is also no reason to use intercept way for hack https with transparent mode. why not squid just act as forwarder to setup tunnel for https communication between server and client? what's it for to make big effort to intercept and create fake certificate? Best regards. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-bump-with-cache-peer-problem-Handshake-fail-after-Client-Hello-tp4672064p4674448.html Sent from the Squid - Users mailing list archive at Nabble.com. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
