[squid-users] getting sslbump cert errors on major sites
Tom Harris
thom.j.harris at gmail.com
Fri Oct 3 03:14:36 UTC 2014
I set up an ssl-bump squid recently and noticed some bump issues too.
Most sites work fine (e.g. google and twitter using https). But, I get
errors with Facebook.com. But, it only happens in Mac OS X Chrome, Windows
Chrome works fine.
Chrome refuses to load the site, and in certificate details it says "This
certificate cannot be used (unrecognized critical extension)"
In the detail view, the critical extensions are:
Key Usage. Data = A8
Basic Constraints. Certificate Authority = No
In the Windows certificate details, the same extensions are present, but
don't cause any issue.
Has anyone else seen this?
On Thu, Oct 2, 2014 at 4:09 PM, Jason Haar <Jason_Haar at trimble.com> wrote:
> Hi there
>
> I'm using sslbump and I just got blocked logging into hotmail for the
> first time (yeah, slumming it ;-)
>
> The cert is for bay181.mail.live.com, and squid is generating a "CN=Not
> trusted by xxxxx" type cert, as I assume it wasn't signed by a CA that
> squid knew about?
>
> I whitelisted live.com (ie don't bump it any more) and the problem goes
> away for Firefox
>
> I'm running Ubuntu 14.04, so does this mean that the db of CA's Ubuntu
> trusts does not include the same CA-chain that browsers do?
>
> ie, I have
>
> http_port 3128 ssl-bump cert=/usr/local/squid/etc/squidCA.cert
> capath=/etc/ssl/certs/
>
> so this means the CA's Ubuntu lists in /etc/ssl/certs/ is "out of date"
> compared with Firefox?
>
> Really a rhetorical question, just kinda wanting to know about where
> sslbump will run into trouble, etc :-)
>
> --
> Cheers
>
> Jason Haar
> Corporate Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141002/8d585fcb/attachment.html>
More information about the squid-users
mailing list