[squid-users] squid self signed cert error on some websites

robert k Wild robertkwild at gmail.com
Wed May 19 20:20:18 UTC 2021


Thanks Alex,

When I don't add the website to the white list I can't view the cert, so I
cant download it and compare it with the one I can view/download when I do
add it to the white list

Or are you talking about turn the proxy off on Firefox and access the
website normally?

Thanks,
Rob

On Wed, 19 May 2021, 21:05 Alex Rousskov, <rousskov at measurement-factory.com>
wrote:

> On 5/19/21 3:44 PM, robert k Wild wrote:
>
> > when i dont add it to the white list i cant view the website (obviously)
> > but can see the cert is provided by my squid (default company ltd)...i
> > was lazy creating it but cant view the cert
> >
> > when i add it to the white list, i can view the website and the cert
> > info and its def from my squid cert (default company ltd) as i see the
> > valid dates ie before and after
>
> The difference between those two certificates, if any, may be able to
> explain the difference in browser behavior. It would also be useful to
> compare those fake certificates with the real one.
>
>
> > i think i need to relax the ciphers in my squid.conf as some other https
> > websites i get the error page and i dont get the cert error message
> >
> > do you think relaxing the ciphers will work?
>
> Sorry, I do not know. Obviously, you can trivially check this theory.
>
> Alex.
>
>
> > On Wed, 19 May 2021, 19:12 Alex Rousskov wrote:
> >
> >     On 5/19/21 10:41 AM, robert k Wild wrote:
> >     > ok i found out what the error is
> >     >
> >     > its because in my squid.conf, i have a whitelist file
> >     >
> >     > #HTTP_HTTPS whitelist websites
> >     > acl whitelist ssl::server_name "/usr/local/squid/etc/urlwhite.txt"
> >     > http_access allow activation whitelist
> >     > http_access deny all
> >     >
> >     > once i added the url to that file, it worked
> >     >
> >     > but surely, instead of giving me an error saying
> >     >
> >     > secure connection failed
> >     > Error code: SEC_ERROR_BAD_SIGNATURE
> >     >
> >     > it should be the default error ie
> >     >
> >     > The following error was encountered while trying to retrieve the
> URL:
> >     > https://blah.blah <https://blah.blah> <https://blah.blah
> >     <https://blah.blah>>
> >     >
> >     >     Access Denied.
> >     >
> >     > how can i change this please
> >
> >     The answer depends on _why_ you get that SEC_ERROR_BAD_SIGNATURE
> error.
> >
> >     If Squid does not have enough information to properly bump your
> client
> >     connection, then there may be no bumping-based solution at all (e.g.
> >     when the client is using certificate pinning), or you would have to
> bump
> >     at step2 when more information is available to Squid (to generate a
> >     better fake certificate).
> >
> >     For the next step, try comparing the fake certificate that causes
> >     SEC_ERROR_BAD_SIGNATURE with the fake same-site certificate that
> works
> >     after you whitelist the problematic site. The browser should allow
> you
> >     to view both certificates. You can download them and use certificate
> >     printing tools like "openssl x509 -noout -text -in ..." to compare
> two
> >     certificate printouts.
> >
> >     HTH,
> >
> >     Alex.
> >
> >
> >     > On Wed, 19 May 2021 at 13:54, robert k Wild wrote:
> >     >
> >     >     hi all,
> >     >
> >     >     i have squid 4.15
> >     >
> >     >     i have imported my self signed cert on firefox and now i can
> >     access
> >     >     https website (where as before i got a software is preventing
> this
> >     >     website from opening)
> >     >
> >     >     but on some websites i get an error saying
> >     >
> >     >     secure connection failed
> >     >     Error code: SEC_ERROR_BAD_SIGNATURE
> >     >
> >     >     i attach my ssl bump conf in my squid.conf file
> >     >
> >     >     #SSL Bump
> >     >     http_port 3128 ssl-bump
> >     cert=/usr/local/squid/etc/ssl_cert/myCA.pem
> >     >     generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> >     >
> >
>   cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
> >     >     sslcrtd_program /usr/local/squid/libexec/security_file_certgen
> -s
> >     >     /var/lib/ssl_db -M 4MB
> >     >     acl step1 at_step SslBump1
> >     >     ssl_bump peek step1
> >     >     ssl_bump bump all
> >     >
> >     >     is there anything wrong you can see, i have tried to make a
> new CA
> >     >     but error still occures
> >     >
> >     >     thanks,
> >     >     rob
> >     >
> >     >     --
> >     >     Regards,
> >     >
> >     >     Robert K Wild.
> >     >
> >     >
> >     >
> >     > --
> >     > Regards,
> >     >
> >     > Robert K Wild.
> >     >
> >     > _______________________________________________
> >     > squid-users mailing list
> >     > squid-users at lists.squid-cache.org
> >     <mailto:squid-users at lists.squid-cache.org>
> >     > http://lists.squid-cache.org/listinfo/squid-users
> >     <http://lists.squid-cache.org/listinfo/squid-users>
> >     >
> >
> >     _______________________________________________
> >     squid-users mailing list
> >     squid-users at lists.squid-cache.org
> >     <mailto:squid-users at lists.squid-cache.org>
> >     http://lists.squid-cache.org/listinfo/squid-users
> >     <http://lists.squid-cache.org/listinfo/squid-users>
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210519/1eecdd84/attachment.htm>


More information about the squid-users mailing list