On 11/12/2015 04:47 PM, Amos Jeffries wrote: > On 13/11/2015 8:12 a.m., Alex Rousskov wrote: >> On 11/12/2015 11:31 AM, Tom Mowbray wrote: >>> acl sslallow ssl::server_name "/path/to/file" >>> ssl_bump peek all >>> ssl_bump splice sslallow >>> ssl_bump terminate all > I am wondering if this is all a misunderstanding of what happens when a > peek is being done at step2 / server cert details ? > > I think this ordering better matches the policy: > > ssl_bump splice sslallow > ssl_bump peek all > ssl_bump terminate all This order will reduce the number of SSL validation errors (if any) because splicing will often happen before step3 with this order, but it cannot solve the actual problem IMO (only mask it and/or make it less frequent). On 11/12/2015 12:48 PM, Tom Mowbray wrote: > We have squid set to "deny all" on certificate error. Which instructs Squid to bump SSL connections that have certificate validation or similar SSL errors (from Squid point of view). > I don't see anything strange in the access log, just the initial CONNECT request If there was an SSL validation error, Squid should reply with 200 OK to the CONNECT but also log SSL validation error details (on the same access.log line as the CONNECT transaction). Please add %err_code, %err_detail, and %ssl::<cert_errors to your access.log format line (if not already there) and see if they give any clues. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users