<div dir="ltr"><div class="gmail_quote"><div dir="ltr">Hi to all.<div>I keep trying to achieve inspect https. I think I'm close to doing. This is my current configuration relative to ssl-bump.</div><div><ul style="color:rgb(0,0,0);font-family:Arial,"Lucida Grande",sans-serif;font-size:13.6px;line-height:17px"><li style="list-style-type:none"><pre style="padding:0.5em;font-family:courier,monospace;border:1pt solid rgb(192,192,192);white-space:pre-wrap;word-wrap:break-word;background:rgb(240,236,230)"><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;line-height:normal;white-space:normal;background-color:rgb(255,255,255)"># Squid listen Port</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;line-height:normal;white-space:normal;background-color:rgb(255,255,255)">http_port <a href="http://192.168.1.215:3128/" target="_blank">192.168.1.215:3128</a></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;line-height:normal;white-space:normal;background-color:rgb(255,255,255)">https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=<wbr>4MB cert=/etc/squid/ssl_cert/myca.<wbr>pem key=/etc/squid/ssl_cert/myca.<wbr>pem</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;line-height:normal;white-space:normal;background-color:rgb(255,255,255)"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;line-height:normal;white-space:normal;background-color:rgb(255,255,255)">#always_direct allow all</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;line-height:normal;white-space:normal;background-color:rgb(255,255,255)">ssl_bump server-first all</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;line-height:normal;white-space:normal;background-color:rgb(255,255,255)">#sslproxy_cert_error deny all</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;line-height:normal;white-space:normal;background-color:rgb(255,255,255)">#sslproxy_flags DONT_VERIFY_PEER</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;line-height:normal;white-space:normal;background-color:rgb(255,255,255)"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;line-height:normal;white-space:normal;background-color:rgb(255,255,255)">sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;line-height:normal;white-space:normal;background-color:rgb(255,255,255)">sslcrtd_children 8 startup=1 idle=1</div></pre></li><li style="list-style-type:none"><div><b style="font-family:arial,sans-serif;font-size:small;line-height:normal;color:rgb(34,34,34)"><br></b></div></li><li style="list-style-type:none"><div><b style="font-family:arial,sans-serif;font-size:small;line-height:normal;color:rgb(34,34,34)"><br></b></div></li><li style="list-style-type:none"><div><b style="font-family:arial,sans-serif;font-size:small;line-height:normal;color:rgb(34,34,34)">Im having this error in firefox.</b><br></div></li></ul></div><div><div><b>when try <a href="http://google.com" target="_blank">google.com</a></b></div><div><div>The owner of <a href="http://www.google.com" target="_blank">www.google.com</a> has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.</div><div><br></div><div>This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate.</div></div></div><div><br></div><div><b>or <a href="http://yahoo.com" target="_blank">yahoo.com</a></b></div><div><br></div><div><div><a href="https://search.yahoo.com/yhs/search?p=X.509+version+1+certificates+are+deprecated&ei=UTF-8&hspart=mozilla&hsimp=yhs-005" target="_blank">https://search.yahoo.com/yhs/<wbr>search?p=X.509+version+1+<wbr>certificates+are+deprecated&<wbr>ei=UTF-8&hspart=mozilla&hsimp=<wbr>yhs-005</a></div><div> An X.509 version 1 certificate that is not a trust anchor was used to issue the server's certificate. X.509 version 1 certificates are deprecated and should not be used to sign other certificates. </div><div>HTTP Strict Transport Security: true </div><div>HTTP Public Key Pinning: false</div></div><div><br></div><div><br></div><div><b>MOZILLA_PKIX_ERROR_V1_CERT_<wbr>USED_AS_CA<br></b></div><div><br></div><div>When i create self-signed certificate, i do like this:</div><div><ul style="color:rgb(0,0,0);font-family:Arial,"Lucida Grande",sans-serif;font-size:13.6px;line-height:17px"><li style="list-style-type:none"><pre style="padding:0.5em;font-family:courier,monospace;border:1pt solid rgb(192,192,192);white-space:pre-wrap;word-wrap:break-word;background:rgb(240,236,230)">openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes <b>-x509 </b>-keyout myCA.pem  -out myCA.pem</pre></li></ul><div><font color="#000000" face="courier, monospace"><span style="font-size:13.6px;line-height:17px;white-space:pre-wrap">so what can i change to avoid the problem???</span></font></div></div><div><font color="#000000" face="courier, monospace"><span style="font-size:13.6px;line-height:17px;white-space:pre-wrap">Thanks to all!!</span></font></div></div>
</div><br></div>