<div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13px">Ok, finally got the certificate installed properly and can proxy some https sites (gmail, google) but I get an error when going to a bank website.....</span><div style="font-family:arial,sans-serif;font-size:13px"><span style="color:rgb(0,0,0);font-family:'Segoe UI',Tahoma,sans-serif;font-size:15px;line-height:24px;text-transform:uppercase;background-color:rgb(247,247,247)">NET::ERR_CERT_COMMON_NAME_INVALID</span><br></div><div style="font-family:arial,sans-serif;font-size:13px">when I created the certificate, I purposefully left the common name blank as per several articles on ssl_bump. So I'm assuming it's complaining about the CN generated by <span class="">squid</span>/ssl_bump?</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 13, 2014 at 9:22 AM, Robert Watson <span dir="ltr"><<a href="mailto:robert@gillecaluim.com" target="_blank">robert@gillecaluim.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Ok, finally got the certificate installed properly and can proxy some https sites (gmail, google) but I get an error when going to a bank website.....<div><span style="color:rgb(0,0,0);font-family:'Segoe UI',Tahoma,sans-serif;font-size:15px;line-height:24px;text-transform:uppercase;background-color:rgb(247,247,247)">NET::ERR_CERT_COMMON_NAME_INVALID</span><br></div><div>when I created the certificate, I purposefully left the common name blank as per several articles on ssl_bump. So I'm assuming it's complaining about the CN generated by squid/ssl_bump?<div><br></div><div><br></div></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 6, 2014 at 12:39 AM, Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
</span><span>On 6/10/2014 4:24 p.m., Robert Watson wrote:<br>
> still trying to get this working. To eliminate the self signed<br>
> certificate issue, I got a official signed certificate from<br>
> Starfield Tech. LLC. They've sent two certifcates but I'm unsure<br>
> how to use these certificates since the ssl_bump parameters only<br>
> have one certificate as a parameter<br>
<br>
</span>The CA is very unlikely to be issuing you certificates capable of use<br>
in Squid in the way intended. It is illegal for a trusted root CA to<br>
do so in the country they are registered. Besides that it is downright<br>
foolish for them to give up their trust reputation. Look at what<br>
happened to DigiNotar.<br>
<br>
The point of self-signed is that _your Squid_ is the root CA signer.<br>
<br>
The ssl-bump feature in current Squid makes parameter cert= take the<br>
self-signed CA certificate in PEM format. Squid generates the rest of<br>
the certificte chain as necessary.<br>
<span><br>
><br>
> On Sun, Oct 5, 2014 at 8:52 AM, Eliezer Croitoru wrote:<br>
><br>
> On 10/05/2014 01:22 PM, Amos Jeffries wrote:<br>
>>>> MSIE 11 seems to be growing in popularity for some reason<br>
>>>> ;-)<br>
>>>><br>
>>>> Amos<br>
><br>
> And Still there is:<br>
> <a href="http://bugs.squid-cache.org/show_bug.cgi?id=4115" target="_blank">http://bugs.squid-cache.org/show_bug.cgi?id=4115</a><br>
><br>
> For now I am using ssl_crtd of 3.4.5 for google ssl bump to work.<br>
><br>
> Eliezer<br>
<br>
</span>Amos<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.22 (MingW32)<br>
<br>
iQEcBAEBAgAGBQJUMkdGAAoJELJo5wb/XPRjygMH/Rk0EYwCgluL1YCWNa8cTZHN<br>
RkPNY1fTbe7U0ioB7J69KTJ07XH8sy0w9bChB5s/siodi3WD8ogZ3VdtEYxcqjf1<br>
9yhb771Il3IiVaAiuF62FHWTEHjwHwTcBVR7/cDxigPW2VuSyyhZsdA8ayl1ZUXO<br>
jW44IH5g0Sja7KVJAfS67AANG4Sp4vMh1rGdXpbP8Bq8QGposL3viGh51z3k6/OP<br>
Dok8oVIsIluICLc8sLAKJbJwaBYSh0SLBrnNUv0Yl6+MtAFNfViXJGa3OfRG5ucQ<br>
aTS9Be4vzJthVdV1+tTtqubCvjrYB7PqQcfL9VzA4UlvQovgPDAnVMO074Kyjug=<br>
=k3K8<br>
<div><div>-----END PGP SIGNATURE-----<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>