[squid-users] transparent proxy https and self signed certificate error

Robert Watson robert at gillecaluim.com
Mon Oct 13 16:23:44 UTC 2014


Ok, finally got the certificate installed properly and can proxy some https
sites (gmail, google) but I get an error when going to a bank website.....
NET::ERR_CERT_COMMON_NAME_INVALID
when I created the certificate, I purposefully left the common name blank
as per several articles on ssl_bump.  So I'm assuming it's complaining
about the CN generated by squid/ssl_bump?

On Mon, Oct 13, 2014 at 9:22 AM, Robert Watson <robert at gillecaluim.com>
wrote:

> Ok, finally got the certificate installed properly and can proxy some
> https sites (gmail, google) but I get an error when going to a bank
> website.....
> NET::ERR_CERT_COMMON_NAME_INVALID
> when I created the certificate, I purposefully left the common name blank
> as per several articles on ssl_bump.  So I'm assuming it's complaining
> about the CN generated by squid/ssl_bump?
>
>
>
> On Mon, Oct 6, 2014 at 12:39 AM, Amos Jeffries <squid3 at treenet.co.nz>
> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 6/10/2014 4:24 p.m., Robert Watson wrote:
>> > still trying to get this working.  To eliminate the self signed
>> > certificate issue, I got a official signed certificate from
>> > Starfield Tech. LLC. They've sent two certifcates but I'm unsure
>> > how to use these certificates since the ssl_bump parameters only
>> > have one certificate as a parameter
>>
>> The CA is very unlikely to be issuing you certificates capable of use
>> in Squid in the way intended. It is illegal for a trusted root CA to
>> do so in the country they are registered. Besides that it is downright
>> foolish for them to give up their trust reputation. Look at what
>> happened to DigiNotar.
>>
>> The point of self-signed is that _your Squid_ is the root CA signer.
>>
>> The ssl-bump feature in current Squid makes parameter cert= take the
>> self-signed CA certificate in PEM format. Squid generates the rest of
>> the certificte chain as necessary.
>>
>> >
>> > On Sun, Oct 5, 2014 at 8:52 AM, Eliezer Croitoru wrote:
>> >
>> > On 10/05/2014 01:22 PM, Amos Jeffries wrote:
>> >>>> MSIE 11 seems to be growing in popularity for some reason
>> >>>> ;-)
>> >>>>
>> >>>> Amos
>> >
>> > And Still there is:
>> > http://bugs.squid-cache.org/show_bug.cgi?id=4115
>> >
>> > For now I am using ssl_crtd of 3.4.5 for google ssl bump to work.
>> >
>> > Eliezer
>>
>> Amos
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.22 (MingW32)
>>
>> iQEcBAEBAgAGBQJUMkdGAAoJELJo5wb/XPRjygMH/Rk0EYwCgluL1YCWNa8cTZHN
>> RkPNY1fTbe7U0ioB7J69KTJ07XH8sy0w9bChB5s/siodi3WD8ogZ3VdtEYxcqjf1
>> 9yhb771Il3IiVaAiuF62FHWTEHjwHwTcBVR7/cDxigPW2VuSyyhZsdA8ayl1ZUXO
>> jW44IH5g0Sja7KVJAfS67AANG4Sp4vMh1rGdXpbP8Bq8QGposL3viGh51z3k6/OP
>> Dok8oVIsIluICLc8sLAKJbJwaBYSh0SLBrnNUv0Yl6+MtAFNfViXJGa3OfRG5ucQ
>> aTS9Be4vzJthVdV1+tTtqubCvjrYB7PqQcfL9VzA4UlvQovgPDAnVMO074Kyjug=
>> =k3K8
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141013/7da49094/attachment.html>


More information about the squid-users mailing list