[squid-users] net::err_cert_common_name_invalid just in squid page with dstdomain block

erdosain9 erdosain9 at gmail.com
Tue Dec 5 17:05:48 UTC 2017


"Does that error match the generated certificate sent by Squid to a
blocked Chrome user? In other words, does that certificate have an
invalid common name (CN) field? "

No, is the same certificate. 

"I suggest comparing the following two certificates:
  * the certificate sent by Squid to a blocked FireFox user
  * the certificate sent by Squid to a blocked Chrome user "

Is the same certificate.

"I also suggest comparing the following access.log entries:

  * the line(s) corresponding to the blocked FireFox user request
  * the line(s) corresponding to the blocked Chrome user request "

Line corresponding to blocked Chrome

1512493257.523    175 192.168.1.121 TCP_DENIED/200 0 CONNECT
es-la.facebook.com:443 user at DOMAIN.LAN HIER_NONE/- -
1512493257.716    169 192.168.1.121 TCP_MISS/204 193 GET
http://www.gstatic.com/generate_204 user at DOMAIN.LAN
HIER_DIRECT/172.217.30.163 -


Line corresponding to blocked Firefox

1512493386.314     43 192.168.1.121 TCP_DENIED/200 0 CONNECT
es-la.facebook.com:443 user at DOMAIN.LAN HIER_NONE/- -
1512493386.317      0 192.168.1.121 TAG_NONE/403 6569 GET
https://es-la.facebook.com/ user at DOMAIN.LAN HIER_NONE/- text/html
1512493386.370    173 192.168.1.121 TAG_NONE/200 0 CONNECT
www.google.com.ar:443 user at DOMAIN.LAN HIER_DIRECT/216.58.222.163 -
1512493386.397     45 192.168.1.121 TCP_DENIED/200 0 CONNECT
es-la.facebook.com:443 user at DOMAIN.LAN HIER_NONE/- -
1512493386.400      0 192.168.1.121 TAG_NONE/403 6561 GET
http://squid.DOMAIN.lan:3128/squid-internal-static/icons/SN.png
user at DOMAIN.LAN HIER_NONE/- text/html


Is strange that from Firefox the "answer" is instantaneous, from chrome not.

Thanks to all.




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html


More information about the squid-users mailing list