The config you have is doing client-first bumping (bump at step). It happens before the real cert or server details are available. As such any number of TLS features or extensions may be missing (or added) by squid that indicate problems to the browser.
If you can use a config the peek/stare/splice at the step 1-2 and bump only at step it may work better.
If you require this config, or have issues even with a step bump you will need to trace the TLS details being negotiated on both squid-browser and squid-server connections.
Amos
Amos
-------- Original message --------
From: Dieter Bloms <squid.org@xxxxxxxx>
Date: Thu, 21 Jan 2021, 00:25
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: [squid-users] chromium based browsers don't play a video, when sslbump is enabled
Hello,
I use squid 4.13 with enabled sslbump.
Chromium based browsers like chrome and edge don't play this video
https://admin.wissen-ad.de/storage/TEST/Big_Buck_Bunny_1080_10s_30MB.mp4
The firefox browser and the old internet explorer have no problems.
When I disable sslbumping for this destination the chromium based
browsers work as well.
Here are some parts of my config:
--snip--
http_port MYIP:8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem
sslcrtd_program /usr/sbin/security_file_certgen -s /var/cache/squid/sslcert_db -M 32MB
sslcrtd_children 32 startup=10 idle=3
tls_outgoing_options capath=/etc/ssl/certs min-version=1.2
tls_outgoing_options cipher=TLSv1.2:+aRSA:+SHA384:+SHA256:+DH:-kRSA:!PSK:!eNULL:!aNULL:!DSS:!AESCCM:!CAMELLIA:!ARIA:AES256-SHA:AES128-SHA:@SECLEVEL=1
acl nobumping dstdomain "/etc/squid/nohttpsscan.domains"
ssl_bump splice nobumping
ssl_bump bump all
--snip--
with wget or curl I can download the mp4 file in both cases (with and without sslbump)
Can anybody try to view the video in a chromium based browser with enabled sslbump ?
Thank you very much.
--
Regards
Dieter
--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
