Yeah, pinned SSL ‘aint gonna be bumped. The Twitter apps are another popular one that use pinning.
As far as your broken_sites ACL goes, you can’t use `dstdomain` because the only thing Squid can see of the destination before bumping an intercepted connection is the IP address. So for `ssl_bump none` you’ll need to be use `dst` ACLs instead. ProTip: Here are the Apple and Akamai public IP blocks (to use in a dst equivalent of your broken_sites), respectively: 17.0.0.0/8, 23.0.0.0/12. Good luck On 30 Jun 2014, at 10:38 pm, James Lay <[email protected]> wrote: > Topic pretty much says it...most sites work fine using my below set up, > but some (Apple's app store) do not. I'm wondering if cert pinning is > the issue? Since this set up is basically two separate sessions, I > packet captured both. The side the I have control over gives me a TLS > Record Layer Alert Close Notify. I am unable to decrypt the other side > as the device in question is an iDevice and I can't capture the master > secret. > > I've even tried to ACL certain sites to not bump, but they don't go > through. Below is my complete setup. This is running the below: > > Squid Cache: Version 3.4.6 > configure options: '--prefix=/opt' '--enable-icap-client' > '--enable-ssl' '--enable-linux-netfilter' > '--enable-follow-x-forwarded-for' '--with-large-files' > '--sysconfdir=/opt/etc/squid' > > > Any assistance with troubleshooting would be wonderful...thank you. > > James > > > > $IPTABLES -t nat -A PREROUTING -i eth0 -s 192.168.1.96/28 -p tcp --dport > 80 -j REDIRECT --to-port 3128 > $IPTABLES -t nat -A PREROUTING -i eth0 -s 192.168.1.96/28 -p tcp --dport > 443 -j REDIRECT --to-port 3129 > > > acl localnet src 192.168.1.0/24 > > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > > acl CONNECT method CONNECT > acl broken_sites dstdomain textnow.me > acl broken_sites dstdomain akamaiedge.net > acl broken_sites dstdomain akamaihd.net > acl broken_sites dstdomain apple.com > acl allowed_sites url_regex "/opt/etc/squid/url.txt" > acl all_others dst all > acl SSL method CONNECT > > > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > > http_access allow manager localhost > http_access deny manager > > http_access allow allowed_sites > http_access deny all_others > http_access allow localnet > http_access allow localhost > > http_access deny all > icp_access deny all > > sslproxy_cert_error allow broken_sites > sslproxy_cert_error deny all > > sslproxy_options ALL > ssl_bump none broken_sites > ssl_bump server-first all > > http_port 192.168.1.253:3128 intercept > https_port 192.168.1.253:3129 intercept ssl-bump > generate-host-certificates=on cert=/opt/sslsplit/sslsplit.crt > key=/opt/sslsplit/sslsplitca.key options=ALL sslflags=NO_SESSION_REUSE > > always_direct allow all > > > hierarchy_stoplist cgi-bin ? > > access_log syslog:daemon.info common > > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (cgi-bin|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > > icp_port 3130 > > coredump_dir /opt/var > >
