On Tue, February 25, 2020 06:30, Amos Jeffries wrote: > On 25/02/20 5:00 am, Walter H. wrote: >> Hello, >> >> can someone explain, why >> sites as https://dnslytics.com/ >> do not work any more if 'server-first', >> they only work with 'client-first' why? >> > > Not with the lack of information supplied. > > Amos part of my squid.conf acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 acl nobumpsites ssl::server_name "/etc/squid/sslnobumpsites-acl.squid" # this doesn't work, my own Site also only with SNI works ssl_bump peek step1 ssl_bump splice nobumpsites ssl_bump stare step2 ssl_bump bump all # this works #ssl_bump client-first # this doesn't work with these sites #ssl_bump server-first even WGET shows this: ERROR: no certificate subject alternative name matches which means that SNI isn't correctly handled, but why and which part of the chain is causing this? this problem is since e.g. dnslytics.com got a new SSL certificate this year Thanks, Walter _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
