Hi I'm using SSL transparent method : https_port 0.0.0.0:53695 intercept disable-pmtu-discovery=transparent name=MyPortNameID22 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl/cb623e9bfc65772f68b84393604cd6ea.dyn sslproxy_foreign_intermediate_certs /etc/squid3/intermediate_ca.pem sslcrtd_program /lib/squid3/ssl_crtd -s /var/lib/squid/session/ssl/ssl_db -M 8MB sslcrtd_children 16 startup=5 idle=1 acl ssl_step1 at_step SslBump1 acl ssl_step2 at_step SslBump2 acl ssl_step3 at_step SslBump3 ssl_bump peek ssl_step1 ssl_bump splice all sslproxy_flags DONT_VERIFY_PEER sslproxy_cert_error allow all As you can see squid just intercept ssl queries and bump nothing ( just to filter connections from url_rewrite program and log ssl connections ) When connecting to mozilla.org using transparent, we receive this error: * About to connect() to www.mozilla.org port 443 (#0) * Trying 104.16.41.2... * connected * Connected to www.mozilla.org (104.16.41.2) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol * Closing connection #0 curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol And squid access.log 1485110919.564 3 192.168.1.236 TAG_NONE/403 6263 CONNECT 104.16.41.2:443 - HIER_NONE/- text/html When using squid using standard port ( connected port/TUNNEL ) mozilla is correctly dispalyed without any error. How to whitelist mozilla.org without create a bypass iptables rule ? Best regards _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
