[squid-users] squid self signed cert error on some websites
robert k Wild
robertkwild at gmail.com
Thu May 20 17:05:52 UTC 2021
ok, bit wierd but its sorted itself out after a reboot?!?!
so now even when i dont whitelist the websites, when i go on them, instead
of getting the cert error message, i get now the normal error message,
saying access denied by your admin
On Wed, 19 May 2021 at 21:52, robert k Wild <robertkwild at gmail.com> wrote:
> I'm following this guide
>
> https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
>
> The section
>
> Alternative trust roots
>
> I don't have a dir called
>
> Usr local openssl
>
> Do I have to download the the ca bundle file somewhere?
>
>
>
> On Wed, 19 May 2021, 21:34 robert k Wild, <robertkwild at gmail.com> wrote:
>
>> Thanks Alex, I will do this tomorrow and let you know
>>
>> Thank you, have a great day
>>
>> On Wed, 19 May 2021, 21:25 Alex Rousskov, <
>> rousskov at measurement-factory.com> wrote:
>>
>>> On 5/19/21 4:20 PM, robert k Wild wrote:
>>>
>>> > When I don't add the website to the white list I can't view the cert
>>>
>>> What prevents you from viewing the certificate? Can you click on the
>>> site information icon to the left of the browser Location(?) bar when
>>> the error is displayed? If not, perhaps you can use FireFox built-in
>>> "Web Developer Tools" (Ctrl-Shift-I on my machine) to get to the
>>> certificate? I am not a browser expert, but there is usually a way to
>>> see the certificate if the browser received it.
>>>
>>> If nothing works, can you try reproducing using curl or wget instead of
>>> a browser?
>>>
>>>
>>> > Or are you talking about turn the proxy off on Firefox and access the
>>> > website normally?
>>>
>>> That would give you the third certificate to compare.
>>>
>>> Alex.
>>>
>>>
>>> > On Wed, 19 May 2021, 21:05 Alex Rousskov,
>>> > <rousskov at measurement-factory.com
>>> > <mailto:rousskov at measurement-factory.com>> wrote:
>>> >
>>> > On 5/19/21 3:44 PM, robert k Wild wrote:
>>> >
>>> > > when i dont add it to the white list i cant view the website
>>> > (obviously)
>>> > > but can see the cert is provided by my squid (default company
>>> ltd)...i
>>> > > was lazy creating it but cant view the cert
>>> > >
>>> > > when i add it to the white list, i can view the website and the
>>> cert
>>> > > info and its def from my squid cert (default company ltd) as i
>>> see the
>>> > > valid dates ie before and after
>>> >
>>> > The difference between those two certificates, if any, may be able
>>> to
>>> > explain the difference in browser behavior. It would also be
>>> useful to
>>> > compare those fake certificates with the real one.
>>> >
>>> >
>>> > > i think i need to relax the ciphers in my squid.conf as some
>>> other
>>> > https
>>> > > websites i get the error page and i dont get the cert error
>>> message
>>> > >
>>> > > do you think relaxing the ciphers will work?
>>> >
>>> > Sorry, I do not know. Obviously, you can trivially check this
>>> theory.
>>> >
>>> > Alex.
>>> >
>>> >
>>> > > On Wed, 19 May 2021, 19:12 Alex Rousskov wrote:
>>> > >
>>> > > On 5/19/21 10:41 AM, robert k Wild wrote:
>>> > > > ok i found out what the error is
>>> > > >
>>> > > > its because in my squid.conf, i have a whitelist file
>>> > > >
>>> > > > #HTTP_HTTPS whitelist websites
>>> > > > acl whitelist ssl::server_name
>>> > "/usr/local/squid/etc/urlwhite.txt"
>>> > > > http_access allow activation whitelist
>>> > > > http_access deny all
>>> > > >
>>> > > > once i added the url to that file, it worked
>>> > > >
>>> > > > but surely, instead of giving me an error saying
>>> > > >
>>> > > > secure connection failed
>>> > > > Error code: SEC_ERROR_BAD_SIGNATURE
>>> > > >
>>> > > > it should be the default error ie
>>> > > >
>>> > > > The following error was encountered while trying to
>>> retrieve
>>> > the URL:
>>> > > > https://blah.blah <https://blah.blah> <https://blah.blah
>>> > <https://blah.blah>> <https://blah.blah <https://blah.blah>
>>> > > <https://blah.blah <https://blah.blah>>>
>>> > > >
>>> > > > Access Denied.
>>> > > >
>>> > > > how can i change this please
>>> > >
>>> > > The answer depends on _why_ you get that
>>> > SEC_ERROR_BAD_SIGNATURE error.
>>> > >
>>> > > If Squid does not have enough information to properly bump
>>> > your client
>>> > > connection, then there may be no bumping-based solution at
>>> all
>>> > (e.g.
>>> > > when the client is using certificate pinning), or you would
>>> > have to bump
>>> > > at step2 when more information is available to Squid (to
>>> > generate a
>>> > > better fake certificate).
>>> > >
>>> > > For the next step, try comparing the fake certificate that
>>> causes
>>> > > SEC_ERROR_BAD_SIGNATURE with the fake same-site certificate
>>> > that works
>>> > > after you whitelist the problematic site. The browser should
>>> > allow you
>>> > > to view both certificates. You can download them and use
>>> > certificate
>>> > > printing tools like "openssl x509 -noout -text -in ..." to
>>> > compare two
>>> > > certificate printouts.
>>> > >
>>> > > HTH,
>>> > >
>>> > > Alex.
>>> > >
>>> > >
>>> > > > On Wed, 19 May 2021 at 13:54, robert k Wild wrote:
>>> > > >
>>> > > > hi all,
>>> > > >
>>> > > > i have squid 4.15
>>> > > >
>>> > > > i have imported my self signed cert on firefox and now
>>> i can
>>> > > access
>>> > > > https website (where as before i got a software is
>>> > preventing this
>>> > > > website from opening)
>>> > > >
>>> > > > but on some websites i get an error saying
>>> > > >
>>> > > > secure connection failed
>>> > > > Error code: SEC_ERROR_BAD_SIGNATURE
>>> > > >
>>> > > > i attach my ssl bump conf in my squid.conf file
>>> > > >
>>> > > > #SSL Bump
>>> > > > http_port 3128 ssl-bump
>>> > > cert=/usr/local/squid/etc/ssl_cert/myCA.pem
>>> > > > generate-host-certificates=on
>>> > dynamic_cert_mem_cache_size=4MB
>>> > > >
>>> > >
>>> >
>>> cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
>>> > > > sslcrtd_program
>>> > /usr/local/squid/libexec/security_file_certgen -s
>>> > > > /var/lib/ssl_db -M 4MB
>>> > > > acl step1 at_step SslBump1
>>> > > > ssl_bump peek step1
>>> > > > ssl_bump bump all
>>> > > >
>>> > > > is there anything wrong you can see, i have tried to
>>> > make a new CA
>>> > > > but error still occures
>>> > > >
>>> > > > thanks,
>>> > > > rob
>>> > > >
>>> > > > --
>>> > > > Regards,
>>> > > >
>>> > > > Robert K Wild.
>>> > > >
>>> > > >
>>> > > >
>>> > > > --
>>> > > > Regards,
>>> > > >
>>> > > > Robert K Wild.
>>> > > >
>>> > > > _______________________________________________
>>> > > > squid-users mailing list
>>> > > > squid-users at lists.squid-cache.org
>>> > <mailto:squid-users at lists.squid-cache.org>
>>> > > <mailto:squid-users at lists.squid-cache.org
>>> > <mailto:squid-users at lists.squid-cache.org>>
>>> > > > http://lists.squid-cache.org/listinfo/squid-users
>>> > <http://lists.squid-cache.org/listinfo/squid-users>
>>> > > <http://lists.squid-cache.org/listinfo/squid-users
>>> > <http://lists.squid-cache.org/listinfo/squid-users>>
>>> > > >
>>> > >
>>> > > _______________________________________________
>>> > > squid-users mailing list
>>> > > squid-users at lists.squid-cache.org
>>> > <mailto:squid-users at lists.squid-cache.org>
>>> > > <mailto:squid-users at lists.squid-cache.org
>>> > <mailto:squid-users at lists.squid-cache.org>>
>>> > > http://lists.squid-cache.org/listinfo/squid-users
>>> > <http://lists.squid-cache.org/listinfo/squid-users>
>>> > > <http://lists.squid-cache.org/listinfo/squid-users
>>> > <http://lists.squid-cache.org/listinfo/squid-users>>
>>> > >
>>> >
>>>
>>>
--
Regards,
Robert K Wild.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210520/6a8cb5f0/attachment-0001.htm>
More information about the squid-users
mailing list