Alex, I am using the next stare rule: acl tls_s1_connect at_step SslBump1 acl tls_s2_client_hello at_step SslBump2 acl tls_s3_server_hello at_step SslBump3 ssl_bump stare tls_s2_client_hello Which I am not sure about. For now this issue seems to be gone. I don't know why or how but it seems that some IP rotation is happening as we speak/write. The IP address my service was accessing is different then the one now so I think what Amos wrote is probably the real reason, ie that the service certificate was for another service CN/DNS Name. While it's ok for the windows client it's not OK for Squid and any other SNI based certificate validator. Thanks Helped and Helps, Eliezer ---- Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1ltd@xxxxxxxxx Zoom: Coming soon -----Original Message----- From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Alex Rousskov Sent: Tuesday, January 12, 2021 5:15 PM To: Squid Users <squid-users@xxxxxxxxxxxxxxxxxxxxx> Subject: Re: Microsoft store issues with ssl-bump On 1/12/21 7:42 AM, Amos Jeffries wrote: > IIRC latest Squid force the client to TLS/1.2 when > preparing to bump, but may not for spliceand stare. So YMMV. FTR: Bugs notwithstanding, modern Squid changes nothing on TLS level when peeking, splicing, and/or terminating. Squid changes TLS bytes when staring and/or bumping. Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
