On 04/28/2016 02:32 PM, Markey, Bruce wrote: > I’ve been having to actually remove folks from the proxy so they could work. > I can’t deny users access to the sites they need. > all I really wanted was to keep stats on sites visited. Yours and many other passive monitoring use cases call for a non-intrusive or "stealth" splice. No TLS version enforcement, no [fatal] certificate validation errors, no errors returned to the user, just domain name logging and splicing. Supporting this stealthy mode requires a lot of work, and there is currently no sponsor to get us all the way to that goal, but I am optimistic that we will eventually get there. The automated certificate fetching (bug #4305) still needs to be supported, of course. It is a separate issue. Meanwhile, besides manually adding untrusted certificates as have been recommended by others, consider limiting peeking to step1 [in some cases]. This way, Squid will not see and validate the server certificate. If most of your traffic has SNI, and users are not trying to defeat your monitoring, then the logs may still contain enough info to produce the stats you want, even without seeing certificates. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users