Thanks, Guy.
I�m almost tempted to just ssl_bump none for 23.0.0.0/12, but I�m sure that would lead to all sorts of annoyances for clients who are tracking users download usage etc.
I�d appreciate if you could share your list of IP addresses, might be useful for us.
Dan
On 7 Apr 2014, at 11:23 pm, Guy Helmer <ghelmer_at_palisadesystems.com> wrote:
> On Apr 6, 2014, at 11:58 PM, Dan Charlesworth <dan_at_getbusi.com> wrote:
>
>> This somewhat vague error comes up with relative frequency from iOS apps when browsing via our Squid 3.4.4 intercepting proxy which is performing server-first SSL Bumping.
>>
>> The requests in question don�t make it as far as the access log, but with debug_options 28,3 26,3, the dst IP can be identified and allowed through with ssl_bump none.
>>
>> The device trusts Squid's CA, but apparently that�s not enough for the Twitter iOS app and certain Akamai requests that App Store updates use.
>>
>> Can anyone suggest how one might debug this further? Or just an idea of why the client might be closing the SSL connection in certain cases?
>>
>> Thanks!
>>
>>
>
> I suspect that the Twitter app is using certificate pinning to prevent man-in-the-middle decryption: https://dev.twitter.com/docs/security/using-ssl
>
> IIRC, I have had some difficulty tracking down or obtaining intermediate certs that Akamai uses. I ended up whitelisting many Akamai IP addresses from SSL interception on my test network.
>
> Guy
Received on Mon Apr 07 2014 - 23:34:57 MDT
This archive was generated by hypermail 2.2.0 : Wed Apr 09 2014 - 12:00:05 MDT