[squid-users] Strange behaviour with Chrome (client OS = WinXP x64) ...

Walter H. Walter.H at mathemainzel.info
Sun Feb 1 17:48:24 UTC 2015 

Hello,

can someone please try the following website with Google Chrome - I use 
the latest release: Version 39.0.2171.99 m -

https://banking.ing-diba.at/   (an electronic Banking site)

with the following policy enabled:

RequireOnlineRevocationChecksForLocalAnchors = 1

with this banking site I get the following error from Google Chrome

"Your connection is not private

Attackers might be trying to steal your information from 
banking.ing-diba.at (for example, passwords, messages, or credit cards)."

with the following banking sites of other banks I have no troubles:

https://ebanking.easybank.at/ or
https://banking.raiffeisen.at/

without enabling the policy above or not setting at all, this banking 
site works, but
the symbol it shows differs; it is the same as if a man-in-the-middle 
like SSL-Bump would be between;

Google chrome uses the same cert store as IE, and with IE there is no 
connection problem,
only another thing the banking site is telling: the browser is out 
dated, of course IE 7
the IE even shows a green bar when connecting to this banking site ...

can someone please tell me what is there special with this banking 
site:   https://banking.ing-diba.at/ ?

I'm using SSL bump with the exception of banking sites, the specific 
part of the squid.conf
looks like this:

acl ssl_bump_domains_bankingsites dstdomain banking.raiffeisen.at 
banking.ing-diba.at ebanking.easybank.at services.kepler.at 
www.kepler.at www.rcb.at
acl ssl_bump_domains_msftupdates dstdomain .update.microsoft.com
ssl_bump none ssl_bump_domains_bankingsites
ssl_bump none ssl_bump_domains_msftupdates
ssl_bump server-first all

sslproxy_cert_error allow all
sslproxy_cipher HIGH:MEDIUM:!AECDH:!ADH:!DSS:!SSLv2:+SSLv3:+3DES:!MD5
sslproxy_flags DONT_VERIFY_PEER,NO_DEFAULT_CA
sslproxy_options NO_SSLv2 NO_SSLv3

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/local/squid/ssl_db -M 16MB
sslcrtd_children 8

http_port 3128 ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=16MB cert=/etc/squid/cert/squid.pem 
options=NO_SSLv2,SINGLE_DH_USE dhparams=/etc/squid/cert/dhparam.pem

# squid.pem contains both cert+key

I'm using my own CA, this means this SSL-bump CA cert is signed by my 
root CA certificate;

what is missing, wrong, ... so that this one banking site will work ...?

the SSL-bump CA certificate contain this:

Authority Information Access:
                 OCSP - URI:#url-to-ocsp#
                 CA Issuers - URI:#url-to-root-cert#

and

  X509v3 CRL Distribution Points:
                 Full Name:
                   URI:#url-to-crl#

everything is working, the OCSP, the root-cert, and the CRL ...

what causes Google Chrome producing the mentioned error above, when 
activating this mentioned policy?

the question to squid specialists: was it a good idea signing the 
SSL-bump CA certificate with the root certificate of my CA?

Thanks

-- 
Best regards,
Walter H.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5971 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150201/8ad5988b/attachment.bin>

More information about the squid-users mailing list