[Privoxy-users] Unexpected PKI Behavior With CONNECT to Sites that Have HTTPS Inspection Disabled, Client Trust Not Used
Steven Smith
steve.t.smith at gmail.com
Fri Oct 15 00:35:24 UTC 2021
I observe this unexpected behavior with Privoxy’s HTTP Inspection and would like to confirm before I submit a tracker issue at https://sourceforge.net/p/ijbswa/bugs/ <https://sourceforge.net/p/ijbswa/bugs/>.
When I disable https-inspection for certain websites, e.g.
> # No HTTPS Inspection on these websites
> {-https-inspection}
> .apple.com
> .icloud.com
I observe that clients attempting a CONNECT to these sites through Privoxy fail with TLS errors if the destination’s Root CA is not included in Privoxy’s trustedCAs.pem.
I believe that sites that match the -https-inspection rule should use the client’s chain of trust, not Privoxy’s trustedCAs.pem.
More information about the Privoxy-users
mailing list