[squid-users] 4.9 https isue...unable import certificate in browser

Alex Rousskov rousskov at measurement-factory.com
Tue Dec 10 15:12:55 UTC 2019

On 12/10/19 6:19 AM, aw_wolfe wrote:
> I have squid 4.9 built with https support in which I created a certificate
> following tutorial. Squid starts, appears to be running fine. http whitelist
> with user groups working....trying to add https support.
> copy/paste from example of what I did to create certificate.
> openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions
> v3_ca -keyout myCA.pem  -out myCA.pem
> certtool --generate-privkey --outfile ca-key.pem
> certtool --generate-self-signed --load-privkey ca-key.pem --outfile myCA.pem

You seem to be combining/overlapping two alternative ways to generate a
CA certificate: OpenSSL and GnuTLS. To avoid surprises, I recommend
using either one or another. I cannot speak for GnuTLS, but I know that
the OpenSSL commands did work at some point in the past.

> 1) problem when trying to import myCA.der certificate into firefox: "This is
> not a certificate authority certificate, so it can’t be imported into the
> certificate authority list"

CA certificates have a "true" CA basic constraint. Double check that
your certificate has a true CA extension:

    $ openssl x509 -in myCA.pem -noout -text | \
      grep -A1 'Basic Constraints'
                X509v3 Basic Constraints:

By default, your modern browser or OS might not trust _you_ with
deciding which CAs it should trust. If that is the case, you will need
to find a way to bypass that built-in browser/OS "safety net". Modern
browsers/OSes usually have a way to do that because their
corporate/government clients require such workarounds.

> 2) My goal is simply to whitelist sites, I do not have a need to view the
> traffic. Is following ssl-bump examples the right/only approach or is easier
> way to let the client connect directly, but preventing any connection except
> if on the whitelist?

FWIW, I do not understand what you mean by "let the client connect
directly" and/or how that differs from some of the SslBump examples.
Please detail that part.

Today, the fake CA certificate is needed to enable SslBump. It will be
used to report errors (including blocked access) to users.

If you do not want to report any errors to users, then you do not need
to import your CA certificate into browsers (but you still need to give
that certificate to Squid -- it is a limitation of the current
implementation). In this case, you should configure your Squid to
terminate the from-client TLS connection on any error. Doing so may be
difficult -- there is no single directive that can do that for you.



More information about the squid-users mailing list