Transparent Squid via Splice = Intermittent SSL Connectivity Failures
-
I set up Squid as below, with no caching. The environment is two heavy users and about 50 IOT devices. 2.6.0-RELEASE (amd64) FreeBSD 12.3-STABLE
Intermittently I get errors like:
This site can’t provide a secure connection
www.aliexpress.com sent an invalid response.
Try running Windows Network Diagnostics.
ERR_SSL_PROTOCOL_ERRORAccess log simply shows:
1676158285.661 0 192.168.0.101 NONE/409 4034 CONNECT www.aliexpress.us:443 - HIER_NONE/- text/html
1676158285.661 0 192.168.0.101 NONE/000 0 NONE error:transaction-end-before-headers - HIER_NONE/- -
1676158285.662 0 192.168.0.101 NONE/200 0 CONNECT 104.69.113.196:443 - HIER_NONE/- -
1676158285.663 0 192.168.0.101 NONE/409 4034 CONNECT www.aliexpress.us:443 - HIER_NONE/- text/html
1676158285.663 0 192.168.0.101 NONE/000 0 NONE error:transaction-end-before-headers - HIER_NONE/- -
1676158285.664 0 192.168.0.101 NONE/200 0 CONNECT 104.69.113.196:443 - HIER_NONE/- -If I wait and check later, it usually works. I progressively increased SSL Certificate Deamon Children to 200, but only moderate improvement it seems. I also tried Modern and Intermediate, key size, etc. I tried a few other tips and searched posts, but nothing has resolved it.
There are many posts and tutorials to support that the certificate does not need to be added to the user store.
Any tips?
-
@the_boss you will need to whitelist the domain. It’s possible there is certificate pinning going on.
-
@michmoor said in Transparent Squid via Splice = Intermittent SSL Connectivity Failures:
@the_boss you will need to whitelist the domain. It’s possible there is certificate pinning going on.
I see, thanks. It is my understanding that Peek/Splice has no issue with pinning, and only Bump does, no?
The quantity of things getting blocked randomly would make any whitelisting insurmountable. Others seem to report no challenges with Splice.