On 08/03/2016 08:45 AM, Stanford Prescott wrote: > ssl_bump none localhostgreen > ssl_bump peek tls_s1_connect all > ssl_bump splice tls_s2_client_hello tls_to_splice > ssl_bump stare tls_s2_client_hello all > ssl_bump bump tls_s3_server_hello all AFAICT, the above is too complex. You can simplify it with: ssl_bump splice localhostgreen ssl_bump peek tls_s1_connect ssl_bump splice tls_to_splice ssl_bump stare all ssl_bump bump all and, after polishing your ACLs a little, possibly even with: ssl_bump splice transactions_to_splice ssl_bump peek tls_s1_connect ssl_bump stare all ssl_bump bump all where transactions_to_splice is "localhostgreen or (tls_s2_client_hello and tls_to_splice)". As for your original question, I recommend figuring out why Squid cannot verify the peer. For example, your setup might be missing fresh certificates for some well-known Root CAs. I do not know a good way to figure out why peer verification does not work, but analyzing cache.log with high-enough debugging level should be doable, especially if you can reproduce the problem using a single transaction: http://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
