[squid-users] squid self signed cert error on some websites
robert k Wild
robertkwild at gmail.com
Wed May 19 20:52:09 UTC 2021
I'm following this guide
https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
The section
Alternative trust roots
I don't have a dir called
Usr local openssl
Do I have to download the the ca bundle file somewhere?
On Wed, 19 May 2021, 21:34 robert k Wild, <robertkwild at gmail.com> wrote:
> Thanks Alex, I will do this tomorrow and let you know
>
> Thank you, have a great day
>
> On Wed, 19 May 2021, 21:25 Alex Rousskov, <
> rousskov at measurement-factory.com> wrote:
>
>> On 5/19/21 4:20 PM, robert k Wild wrote:
>>
>> > When I don't add the website to the white list I can't view the cert
>>
>> What prevents you from viewing the certificate? Can you click on the
>> site information icon to the left of the browser Location(?) bar when
>> the error is displayed? If not, perhaps you can use FireFox built-in
>> "Web Developer Tools" (Ctrl-Shift-I on my machine) to get to the
>> certificate? I am not a browser expert, but there is usually a way to
>> see the certificate if the browser received it.
>>
>> If nothing works, can you try reproducing using curl or wget instead of
>> a browser?
>>
>>
>> > Or are you talking about turn the proxy off on Firefox and access the
>> > website normally?
>>
>> That would give you the third certificate to compare.
>>
>> Alex.
>>
>>
>> > On Wed, 19 May 2021, 21:05 Alex Rousskov,
>> > <rousskov at measurement-factory.com
>> > <mailto:rousskov at measurement-factory.com>> wrote:
>> >
>> > On 5/19/21 3:44 PM, robert k Wild wrote:
>> >
>> > > when i dont add it to the white list i cant view the website
>> > (obviously)
>> > > but can see the cert is provided by my squid (default company
>> ltd)...i
>> > > was lazy creating it but cant view the cert
>> > >
>> > > when i add it to the white list, i can view the website and the
>> cert
>> > > info and its def from my squid cert (default company ltd) as i
>> see the
>> > > valid dates ie before and after
>> >
>> > The difference between those two certificates, if any, may be able
>> to
>> > explain the difference in browser behavior. It would also be useful
>> to
>> > compare those fake certificates with the real one.
>> >
>> >
>> > > i think i need to relax the ciphers in my squid.conf as some other
>> > https
>> > > websites i get the error page and i dont get the cert error
>> message
>> > >
>> > > do you think relaxing the ciphers will work?
>> >
>> > Sorry, I do not know. Obviously, you can trivially check this
>> theory.
>> >
>> > Alex.
>> >
>> >
>> > > On Wed, 19 May 2021, 19:12 Alex Rousskov wrote:
>> > >
>> > > On 5/19/21 10:41 AM, robert k Wild wrote:
>> > > > ok i found out what the error is
>> > > >
>> > > > its because in my squid.conf, i have a whitelist file
>> > > >
>> > > > #HTTP_HTTPS whitelist websites
>> > > > acl whitelist ssl::server_name
>> > "/usr/local/squid/etc/urlwhite.txt"
>> > > > http_access allow activation whitelist
>> > > > http_access deny all
>> > > >
>> > > > once i added the url to that file, it worked
>> > > >
>> > > > but surely, instead of giving me an error saying
>> > > >
>> > > > secure connection failed
>> > > > Error code: SEC_ERROR_BAD_SIGNATURE
>> > > >
>> > > > it should be the default error ie
>> > > >
>> > > > The following error was encountered while trying to retrieve
>> > the URL:
>> > > > https://blah.blah <https://blah.blah> <https://blah.blah
>> > <https://blah.blah>> <https://blah.blah <https://blah.blah>
>> > > <https://blah.blah <https://blah.blah>>>
>> > > >
>> > > > Access Denied.
>> > > >
>> > > > how can i change this please
>> > >
>> > > The answer depends on _why_ you get that
>> > SEC_ERROR_BAD_SIGNATURE error.
>> > >
>> > > If Squid does not have enough information to properly bump
>> > your client
>> > > connection, then there may be no bumping-based solution at all
>> > (e.g.
>> > > when the client is using certificate pinning), or you would
>> > have to bump
>> > > at step2 when more information is available to Squid (to
>> > generate a
>> > > better fake certificate).
>> > >
>> > > For the next step, try comparing the fake certificate that
>> causes
>> > > SEC_ERROR_BAD_SIGNATURE with the fake same-site certificate
>> > that works
>> > > after you whitelist the problematic site. The browser should
>> > allow you
>> > > to view both certificates. You can download them and use
>> > certificate
>> > > printing tools like "openssl x509 -noout -text -in ..." to
>> > compare two
>> > > certificate printouts.
>> > >
>> > > HTH,
>> > >
>> > > Alex.
>> > >
>> > >
>> > > > On Wed, 19 May 2021 at 13:54, robert k Wild wrote:
>> > > >
>> > > > hi all,
>> > > >
>> > > > i have squid 4.15
>> > > >
>> > > > i have imported my self signed cert on firefox and now
>> i can
>> > > access
>> > > > https website (where as before i got a software is
>> > preventing this
>> > > > website from opening)
>> > > >
>> > > > but on some websites i get an error saying
>> > > >
>> > > > secure connection failed
>> > > > Error code: SEC_ERROR_BAD_SIGNATURE
>> > > >
>> > > > i attach my ssl bump conf in my squid.conf file
>> > > >
>> > > > #SSL Bump
>> > > > http_port 3128 ssl-bump
>> > > cert=/usr/local/squid/etc/ssl_cert/myCA.pem
>> > > > generate-host-certificates=on
>> > dynamic_cert_mem_cache_size=4MB
>> > > >
>> > >
>> >
>> cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
>> > > > sslcrtd_program
>> > /usr/local/squid/libexec/security_file_certgen -s
>> > > > /var/lib/ssl_db -M 4MB
>> > > > acl step1 at_step SslBump1
>> > > > ssl_bump peek step1
>> > > > ssl_bump bump all
>> > > >
>> > > > is there anything wrong you can see, i have tried to
>> > make a new CA
>> > > > but error still occures
>> > > >
>> > > > thanks,
>> > > > rob
>> > > >
>> > > > --
>> > > > Regards,
>> > > >
>> > > > Robert K Wild.
>> > > >
>> > > >
>> > > >
>> > > > --
>> > > > Regards,
>> > > >
>> > > > Robert K Wild.
>> > > >
>> > > > _______________________________________________
>> > > > squid-users mailing list
>> > > > squid-users at lists.squid-cache.org
>> > <mailto:squid-users at lists.squid-cache.org>
>> > > <mailto:squid-users at lists.squid-cache.org
>> > <mailto:squid-users at lists.squid-cache.org>>
>> > > > http://lists.squid-cache.org/listinfo/squid-users
>> > <http://lists.squid-cache.org/listinfo/squid-users>
>> > > <http://lists.squid-cache.org/listinfo/squid-users
>> > <http://lists.squid-cache.org/listinfo/squid-users>>
>> > > >
>> > >
>> > > _______________________________________________
>> > > squid-users mailing list
>> > > squid-users at lists.squid-cache.org
>> > <mailto:squid-users at lists.squid-cache.org>
>> > > <mailto:squid-users at lists.squid-cache.org
>> > <mailto:squid-users at lists.squid-cache.org>>
>> > > http://lists.squid-cache.org/listinfo/squid-users
>> > <http://lists.squid-cache.org/listinfo/squid-users>
>> > > <http://lists.squid-cache.org/listinfo/squid-users
>> > <http://lists.squid-cache.org/listinfo/squid-users>>
>> > >
>> >
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210519/218cae5f/attachment-0001.htm>
More information about the squid-users
mailing list