[squid-users] squid self signed cert error on some websites
Alex Rousskov
rousskov at measurement-factory.com
Wed May 19 20:25:55 UTC 2021
On 5/19/21 4:20 PM, robert k Wild wrote:
> When I don't add the website to the white list I can't view the cert
What prevents you from viewing the certificate? Can you click on the
site information icon to the left of the browser Location(?) bar when
the error is displayed? If not, perhaps you can use FireFox built-in
"Web Developer Tools" (Ctrl-Shift-I on my machine) to get to the
certificate? I am not a browser expert, but there is usually a way to
see the certificate if the browser received it.
If nothing works, can you try reproducing using curl or wget instead of
a browser?
> Or are you talking about turn the proxy off on Firefox and access the
> website normally?
That would give you the third certificate to compare.
Alex.
> On Wed, 19 May 2021, 21:05 Alex Rousskov,
> <rousskov at measurement-factory.com
> <mailto:rousskov at measurement-factory.com>> wrote:
>
> On 5/19/21 3:44 PM, robert k Wild wrote:
>
> > when i dont add it to the white list i cant view the website
> (obviously)
> > but can see the cert is provided by my squid (default company ltd)...i
> > was lazy creating it but cant view the cert
> >
> > when i add it to the white list, i can view the website and the cert
> > info and its def from my squid cert (default company ltd) as i see the
> > valid dates ie before and after
>
> The difference between those two certificates, if any, may be able to
> explain the difference in browser behavior. It would also be useful to
> compare those fake certificates with the real one.
>
>
> > i think i need to relax the ciphers in my squid.conf as some other
> https
> > websites i get the error page and i dont get the cert error message
> >
> > do you think relaxing the ciphers will work?
>
> Sorry, I do not know. Obviously, you can trivially check this theory.
>
> Alex.
>
>
> > On Wed, 19 May 2021, 19:12 Alex Rousskov wrote:
> >
> > On 5/19/21 10:41 AM, robert k Wild wrote:
> > > ok i found out what the error is
> > >
> > > its because in my squid.conf, i have a whitelist file
> > >
> > > #HTTP_HTTPS whitelist websites
> > > acl whitelist ssl::server_name
> "/usr/local/squid/etc/urlwhite.txt"
> > > http_access allow activation whitelist
> > > http_access deny all
> > >
> > > once i added the url to that file, it worked
> > >
> > > but surely, instead of giving me an error saying
> > >
> > > secure connection failed
> > > Error code: SEC_ERROR_BAD_SIGNATURE
> > >
> > > it should be the default error ie
> > >
> > > The following error was encountered while trying to retrieve
> the URL:
> > > https://blah.blah <https://blah.blah> <https://blah.blah
> <https://blah.blah>> <https://blah.blah <https://blah.blah>
> > <https://blah.blah <https://blah.blah>>>
> > >
> > > Access Denied.
> > >
> > > how can i change this please
> >
> > The answer depends on _why_ you get that
> SEC_ERROR_BAD_SIGNATURE error.
> >
> > If Squid does not have enough information to properly bump
> your client
> > connection, then there may be no bumping-based solution at all
> (e.g.
> > when the client is using certificate pinning), or you would
> have to bump
> > at step2 when more information is available to Squid (to
> generate a
> > better fake certificate).
> >
> > For the next step, try comparing the fake certificate that causes
> > SEC_ERROR_BAD_SIGNATURE with the fake same-site certificate
> that works
> > after you whitelist the problematic site. The browser should
> allow you
> > to view both certificates. You can download them and use
> certificate
> > printing tools like "openssl x509 -noout -text -in ..." to
> compare two
> > certificate printouts.
> >
> > HTH,
> >
> > Alex.
> >
> >
> > > On Wed, 19 May 2021 at 13:54, robert k Wild wrote:
> > >
> > > hi all,
> > >
> > > i have squid 4.15
> > >
> > > i have imported my self signed cert on firefox and now i can
> > access
> > > https website (where as before i got a software is
> preventing this
> > > website from opening)
> > >
> > > but on some websites i get an error saying
> > >
> > > secure connection failed
> > > Error code: SEC_ERROR_BAD_SIGNATURE
> > >
> > > i attach my ssl bump conf in my squid.conf file
> > >
> > > #SSL Bump
> > > http_port 3128 ssl-bump
> > cert=/usr/local/squid/etc/ssl_cert/myCA.pem
> > > generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB
> > >
> >
> cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
> > > sslcrtd_program
> /usr/local/squid/libexec/security_file_certgen -s
> > > /var/lib/ssl_db -M 4MB
> > > acl step1 at_step SslBump1
> > > ssl_bump peek step1
> > > ssl_bump bump all
> > >
> > > is there anything wrong you can see, i have tried to
> make a new CA
> > > but error still occures
> > >
> > > thanks,
> > > rob
> > >
> > > --
> > > Regards,
> > >
> > > Robert K Wild.
> > >
> > >
> > >
> > > --
> > > Regards,
> > >
> > > Robert K Wild.
> > >
> > > _______________________________________________
> > > squid-users mailing list
> > > squid-users at lists.squid-cache.org
> <mailto:squid-users at lists.squid-cache.org>
> > <mailto:squid-users at lists.squid-cache.org
> <mailto:squid-users at lists.squid-cache.org>>
> > > http://lists.squid-cache.org/listinfo/squid-users
> <http://lists.squid-cache.org/listinfo/squid-users>
> > <http://lists.squid-cache.org/listinfo/squid-users
> <http://lists.squid-cache.org/listinfo/squid-users>>
> > >
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> <mailto:squid-users at lists.squid-cache.org>
> > <mailto:squid-users at lists.squid-cache.org
> <mailto:squid-users at lists.squid-cache.org>>
> > http://lists.squid-cache.org/listinfo/squid-users
> <http://lists.squid-cache.org/listinfo/squid-users>
> > <http://lists.squid-cache.org/listinfo/squid-users
> <http://lists.squid-cache.org/listinfo/squid-users>>
> >
>
More information about the squid-users
mailing list