[squid-users] squid self signed cert error on some websites

robert k Wild robertkwild at gmail.com
Wed May 19 19:44:12 UTC 2021


Thanks Alex,

i think i know why now after further digging

when i dont add it to the white list i cant view the website (obviously)
but can see the cert is provided by my squid (default company ltd)...i was
lazy creating it but cant view the cert

when i add it to the white list, i can view the website and the cert info
and its def from my squid cert (default company ltd) as i see the valid
dates ie before and after

i think i need to relax the ciphers in my squid.conf as some other https
websites i get the error page and i dont get the cert error message

do you think relaxing the ciphers will work?


On Wed, 19 May 2021, 19:12 Alex Rousskov, <rousskov at measurement-factory.com>
wrote:

> On 5/19/21 10:41 AM, robert k Wild wrote:
> > ok i found out what the error is
> >
> > its because in my squid.conf, i have a whitelist file
> >
> > #HTTP_HTTPS whitelist websites
> > acl whitelist ssl::server_name "/usr/local/squid/etc/urlwhite.txt"
> > http_access allow activation whitelist
> > http_access deny all
> >
> > once i added the url to that file, it worked
> >
> > but surely, instead of giving me an error saying
> >
> > secure connection failed
> > Error code: SEC_ERROR_BAD_SIGNATURE
> >
> > it should be the default error ie
> >
> > The following error was encountered while trying to retrieve the URL:
> > https://blah.blah <https://blah.blah>
> >
> >     Access Denied.
> >
> > how can i change this please
>
> The answer depends on _why_ you get that SEC_ERROR_BAD_SIGNATURE error.
>
> If Squid does not have enough information to properly bump your client
> connection, then there may be no bumping-based solution at all (e.g.
> when the client is using certificate pinning), or you would have to bump
> at step2 when more information is available to Squid (to generate a
> better fake certificate).
>
> For the next step, try comparing the fake certificate that causes
> SEC_ERROR_BAD_SIGNATURE with the fake same-site certificate that works
> after you whitelist the problematic site. The browser should allow you
> to view both certificates. You can download them and use certificate
> printing tools like "openssl x509 -noout -text -in ..." to compare two
> certificate printouts.
>
> HTH,
>
> Alex.
>
>
> > On Wed, 19 May 2021 at 13:54, robert k Wild wrote:
> >
> >     hi all,
> >
> >     i have squid 4.15
> >
> >     i have imported my self signed cert on firefox and now i can access
> >     https website (where as before i got a software is preventing this
> >     website from opening)
> >
> >     but on some websites i get an error saying
> >
> >     secure connection failed
> >     Error code: SEC_ERROR_BAD_SIGNATURE
> >
> >     i attach my ssl bump conf in my squid.conf file
> >
> >     #SSL Bump
> >     http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
> >     generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> >
>  cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
> >     sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
> >     /var/lib/ssl_db -M 4MB
> >     acl step1 at_step SslBump1
> >     ssl_bump peek step1
> >     ssl_bump bump all
> >
> >     is there anything wrong you can see, i have tried to make a new CA
> >     but error still occures
> >
> >     thanks,
> >     rob
> >
> >     --
> >     Regards,
> >
> >     Robert K Wild.
> >
> >
> >
> > --
> > Regards,
> >
> > Robert K Wild.
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> >
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210519/0303877a/attachment-0001.htm>


More information about the squid-users mailing list