Re: [squid-users] Fwd: certificate name mismatch

From: Alex Rousskov <>
Date: Mon, 16 Jun 2014 10:26:40 -0600

On 06/15/2014 12:31 PM, Douglas Davenport wrote:

> Interesting, I thought bump server first solved this type of problem.

In server-first bumping, Squid just mimics whatever certificate the
server responds with. If the server responds with the "wrong"
certificate, Squid mimics that.

> I wonder how is google serving different certs for vs
> at the same IP is this SNI. Is that something squid is
> likely to support one day?

It sounds like SNI could indeed be involved here. IIRC,
bump-server-first does not forward SNI to the origin server because
Squid does not know the client SNI at server bumping time.

Consider trying SSL Peek and Splice. I am not 100% sure it forwards SNI
today, but that feature builds the necessary [complex!] infrastructure
to do so:



>> On 06/13/2014 09:56 PM, Douglas Davenport wrote:
>>> I have squid 3.3.10 setup with sslbump working for all sites except
>>> when a user tries to type in For some reason the browser
>>> complains about certificate name mismatch. On examination the
>>> generated cert is actually for Apparently google is
>>> redirecting buy why does this error happen only with sslbump. Anyone
>>> else have this issue, workarounds?
>>> Thanks in advance!
Received on Mon Jun 16 2014 - 16:26:58 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 17 2014 - 12:00:06 MDT