[squid-users] Re: squid/sslbump + IE9

From: Sean Boran <sean_at_boran.com>
Date: Fri, 2 Dec 2011 10:52:47 +0100


I'm testing squid v3 with SSL interception (the interception is to do
AV checking with icap) in routing mode.
Sslbump/dynamic certs are configured. A self-signed cert is used on
the proxy, and installed as a ca on browsers.

https to several sites (such as Gmail.com boi.com) works with FF
(although FF is initially much slower); but gives errors in IE9
"Internet Explorer blocked this website from displaying content with
security certificate errors"

Clicking on the lock icon shows the certificate with name
accounts.google.com and signed by myproxy.com, which is fine. So why
is IE not happy?

In the squid logs:
 NONE/000 0 CONNECT accounts.google.com:443 - HIER_NONE/- -
TCP_MISS/200 9497 GET https://accounts.google.com/ServiceLogin? -
HIER_DIRECT/ text/html
NONE/000 0 CONNECT ssl.google-analytics.com:443 - HIER_NONE/- -
 NONE/000 0 CONNECT mail.google.com:443 - HIER_NONE/- -
NONE/000 0 CONNECT ssl.gstatic.com:443 - HIER_NONE/- -
TCP_MISS/200 1301 POST

Is IE9 fussier that other browsers regarding SSL?

Any tips/best practices to get SSL interception running smoothly ? :-)


Received on Fri Dec 02 2011 - 09:52:53 MST

This archive was generated by hypermail 2.2.0 : Fri Dec 02 2011 - 12:00:01 MST