<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
-----BEGIN PGP SIGNED MESSAGE----- <br>
Hash: SHA1 <br>
<br>
<br>
01.02.2015 23:48, Walter H. пишет:<br>
<span style="white-space: pre;">> Hello,<br>
><br>
> can someone please try the following website with Google
Chrome - I use the latest release: Version 39.0.2171.99 m -<br>
><br>
> <a class="moz-txt-link-freetext" href="https://banking.ing-diba.at/">https://banking.ing-diba.at/</a> (an electronic Banking site)<br>
><br>
> with the following policy enabled:<br>
><br>
> RequireOnlineRevocationChecksForLocalAnchors = 1<br>
><br>
> with this banking site I get the following error from Google
Chrome<br>
><br>
> "Your connection is not private<br>
><br>
> Attackers might be trying to steal your information from
banking.ing-diba.at (for example, passwords, messages, or credit
cards)."<br>
><br>
> with the following banking sites of other banks I have no
troubles:<br>
><br>
> <a class="moz-txt-link-freetext" href="https://ebanking.easybank.at/">https://ebanking.easybank.at/</a> or<br>
> <a class="moz-txt-link-freetext" href="https://banking.raiffeisen.at/">https://banking.raiffeisen.at/</a><br>
><br>
> without enabling the policy above or not setting at all, this
banking site works, but<br>
> the symbol it shows differs; it is the same as if a
man-in-the-middle like SSL-Bump would be between;<br>
><br>
> Google chrome uses the same cert store as IE, and with IE
there is no connection problem,<br>
> only another thing the banking site is telling: the browser
is out dated, of course IE 7<br>
> the IE even shows a green bar when connecting to this banking
site ...<br>
><br>
> can someone please tell me what is there special with this
banking site: <a class="moz-txt-link-freetext" href="https://banking.ing-diba.at/">https://banking.ing-diba.at/</a> ?<br>
><br>
> I'm using SSL bump with the exception of banking sites, the
specific part of the squid.conf<br>
> looks like this:<br>
><br>
> acl ssl_bump_domains_bankingsites dstdomain
banking.raiffeisen.at banking.ing-diba.at ebanking.easybank.at
services.kepler.at <a class="moz-txt-link-abbreviated" href="http://www.kepler.at">www.kepler.at</a> <a class="moz-txt-link-abbreviated" href="http://www.rcb.at">www.rcb.at</a><br>
> acl ssl_bump_domains_msftupdates dstdomain
.update.microsoft.com<br>
> ssl_bump none ssl_bump_domains_bankingsites<br>
> ssl_bump none ssl_bump_domains_msftupdates<br>
> ssl_bump server-first all</span><br>
You do it wrong. You don't know site names BEFORE bump.<br>
<br>
Just change acl for banking to dst (ip-based) type and list banking
sites IP.<br>
<span style="white-space: pre;">> sslproxy_cert_error allow all<br>
> sslproxy_cipher
HIGH:MEDIUM:!AECDH:!ADH:!DSS:!SSLv2:+SSLv3:+3DES:!MD5<br>
> sslproxy_flags DONT_VERIFY_PEER,NO_DEFAULT_CA</span><br>
You can remove NO_DEFAULT_CA.<br>
<span style="white-space: pre;">> sslproxy_options NO_SSLv2
NO_SSLv3<br>
><br>
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s
/var/local/squid/ssl_db -M 16MB<br>
> sslcrtd_children 8<br>
><br>
> http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=16MB cert=/etc/squid/cert/squid.pem
options=NO_SSLv2,SINGLE_DH_USE
dhparams=/etc/squid/cert/dhparam.pem</span><br>
Add capath parameter to your ssl-bump port. How you want to bump
without CA's public keys?<br>
<span style="white-space: pre;">><br>
> # squid.pem contains both cert+key<br>
><br>
> I'm using my own CA, this means this SSL-bump CA cert is
signed by my root CA certificate;<br>
><br>
> what is missing, wrong, ... so that this one banking site
will work ...?<br>
><br>
> the SSL-bump CA certificate contain this:<br>
><br>
> Authority Information Access:<br>
> OCSP - URI:#url-to-ocsp#<br>
> CA Issuers - URI:#url-to-root-cert#<br>
><br>
> and<br>
><br>
> X509v3 CRL Distribution Points:<br>
> Full Name:<br>
> URI:#url-to-crl#<br>
><br>
> everything is working, the OCSP, the root-cert, and the CRL
...<br>
><br>
> what causes Google Chrome producing the mentioned error
above, when activating this mentioned policy?<br>
><br>
> the question to squid specialists: was it a good idea signing
the SSL-bump CA certificate with the root certificate of my CA?</span><br>
No. But you can ask him. :) Tell us what he says. ;)<br>
<br>
NP. In two words: You want to be RA. I.e., you can sign your signed
(by CA) root CA anything as trusted authority. Without actually
being a trusted RA<br>
<span style="white-space: pre;">><br>
> Thanks<br>
><br>
><br>
><br>
> _______________________________________________<br>
> squid-users mailing list<br>
> <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
> <a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a></span><br>
<br>
-----BEGIN PGP SIGNATURE-----
<br>
Version: GnuPG v2
<br>
<br>
iQEcBAEBAgAGBQJUzm1zAAoJENNXIZxhPexG0tgH/0PC7+RdzNml58s6vDl9eL8N
<br>
DeJuCjTkLUp2ZUXiFCOQ7S24VqfcegHUdnlin6Eghg5ksbHGFxQGEhRJbHr+HoWj
<br>
MXs4FKAv+i8SKSlFWtSTCZWNoOc3dLPYOetLHUmbF/RE6ymSUM+M8IVGpi/5r+I3
<br>
j8U+mCP58p6oBQ0iJykH85EB7IjS/U9Sx7L+tBsTiAqAuisC2yS0UqLwchVM+zeB
<br>
uf+YJSOZu3fzg+8ZutpVdwlKfdpQpC5mFKMscQ9v1A5D1cOcrPesiHfRod5XKA/Y
<br>
tLzDT/8jdkpBVb98GwfAbBh6cyfCRTey5aPIu3WopTh6SSi4vvqvuacLPFORCe0=
<br>
=Pqdl
<br>
-----END PGP SIGNATURE-----
<br>
<br>
</body>
</html>