<div dir="ltr"><div>ok, bit wierd but its sorted itself out after a reboot?!?!</div><div><br></div><div>so now even when i dont whitelist the websites, when i go on them, instead of getting the cert error message, i get now the normal error message, saying access denied by your admin</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, 19 May 2021 at 21:52, robert k Wild <<a href="mailto:robertkwild@gmail.com">robertkwild@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">I'm following this guide<div dir="auto"><br></div><div dir="auto"><a href="https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit" target="_blank">https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit</a><br></div><div dir="auto"><br></div><div dir="auto">The section</div><div dir="auto"><br></div><div dir="auto"><h3>Alternative trust roots</h3><div dir="auto"><br></div><div dir="auto">I don't have a dir called </div><div dir="auto"><br></div><div dir="auto">Usr local openssl</div><div dir="auto"><br></div><div dir="auto">Do I have to download the the ca bundle file somewhere?</div><div dir="auto"><br></div><div dir="auto"><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, 19 May 2021, 21:34 robert k Wild, <<a href="mailto:robertkwild@gmail.com" target="_blank">robertkwild@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">Thanks Alex, I will do this tomorrow and let you know<div dir="auto"><br></div><div dir="auto">Thank you, have a great day</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, 19 May 2021, 21:25 Alex Rousskov, <<a href="mailto:rousskov@measurement-factory.com" rel="noreferrer" target="_blank">rousskov@measurement-factory.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 5/19/21 4:20 PM, robert k Wild wrote:<br>
<br>
> When I don't add the website to the white list I can't view the cert<br>
<br>
What prevents you from viewing the certificate? Can you click on the<br>
site information icon to the left of the browser Location(?) bar when<br>
the error is displayed? If not, perhaps you can use FireFox built-in<br>
"Web Developer Tools" (Ctrl-Shift-I on my machine) to get to the<br>
certificate? I am not a browser expert, but there is usually a way to<br>
see the certificate if the browser received it.<br>
<br>
If nothing works, can you try reproducing using curl or wget instead of<br>
a browser?<br>
<br>
<br>
> Or are you talking about turn the proxy off on Firefox and access the<br>
> website normally?<br>
<br>
That would give you the third certificate to compare.<br>
<br>
Alex.<br>
<br>
<br>
> On Wed, 19 May 2021, 21:05 Alex Rousskov,<br>
> <<a href="mailto:rousskov@measurement-factory.com" rel="noreferrer noreferrer" target="_blank">rousskov@measurement-factory.com</a><br>
> <mailto:<a href="mailto:rousskov@measurement-factory.com" rel="noreferrer noreferrer" target="_blank">rousskov@measurement-factory.com</a>>> wrote:<br>
> <br>
> On 5/19/21 3:44 PM, robert k Wild wrote:<br>
> <br>
> > when i dont add it to the white list i cant view the website<br>
> (obviously)<br>
> > but can see the cert is provided by my squid (default company ltd)...i<br>
> > was lazy creating it but cant view the cert<br>
> ><br>
> > when i add it to the white list, i can view the website and the cert<br>
> > info and its def from my squid cert (default company ltd) as i see the<br>
> > valid dates ie before and after<br>
> <br>
> The difference between those two certificates, if any, may be able to<br>
> explain the difference in browser behavior. It would also be useful to<br>
> compare those fake certificates with the real one.<br>
> <br>
> <br>
> > i think i need to relax the ciphers in my squid.conf as some other<br>
> https<br>
> > websites i get the error page and i dont get the cert error message<br>
> ><br>
> > do you think relaxing the ciphers will work?<br>
> <br>
> Sorry, I do not know. Obviously, you can trivially check this theory.<br>
> <br>
> Alex.<br>
> <br>
> <br>
> > On Wed, 19 May 2021, 19:12 Alex Rousskov wrote:<br>
> ><br>
> > On 5/19/21 10:41 AM, robert k Wild wrote:<br>
> > > ok i found out what the error is<br>
> > ><br>
> > > its because in my squid.conf, i have a whitelist file<br>
> > ><br>
> > > #HTTP_HTTPS whitelist websites<br>
> > > acl whitelist ssl::server_name<br>
> "/usr/local/squid/etc/urlwhite.txt"<br>
> > > http_access allow activation whitelist<br>
> > > http_access deny all<br>
> > ><br>
> > > once i added the url to that file, it worked<br>
> > ><br>
> > > but surely, instead of giving me an error saying<br>
> > ><br>
> > > secure connection failed<br>
> > > Error code: SEC_ERROR_BAD_SIGNATURE<br>
> > ><br>
> > > it should be the default error ie<br>
> > ><br>
> > > The following error was encountered while trying to retrieve<br>
> the URL:<br>
> > > <a href="https://blah.blah" rel="noreferrer noreferrer noreferrer" target="_blank">https://blah.blah</a> <<a href="https://blah.blah" rel="noreferrer noreferrer noreferrer" target="_blank">https://blah.blah</a>> <<a href="https://blah.blah" rel="noreferrer noreferrer noreferrer" target="_blank">https://blah.blah</a><br>
> <<a href="https://blah.blah" rel="noreferrer noreferrer noreferrer" target="_blank">https://blah.blah</a>>> <<a href="https://blah.blah" rel="noreferrer noreferrer noreferrer" target="_blank">https://blah.blah</a> <<a href="https://blah.blah" rel="noreferrer noreferrer noreferrer" target="_blank">https://blah.blah</a>><br>
> > <<a href="https://blah.blah" rel="noreferrer noreferrer noreferrer" target="_blank">https://blah.blah</a> <<a href="https://blah.blah" rel="noreferrer noreferrer noreferrer" target="_blank">https://blah.blah</a>>>><br>
> > ><br>
> > > Access Denied.<br>
> > ><br>
> > > how can i change this please<br>
> ><br>
> > The answer depends on _why_ you get that<br>
> SEC_ERROR_BAD_SIGNATURE error.<br>
> ><br>
> > If Squid does not have enough information to properly bump<br>
> your client<br>
> > connection, then there may be no bumping-based solution at all<br>
> (e.g.<br>
> > when the client is using certificate pinning), or you would<br>
> have to bump<br>
> > at step2 when more information is available to Squid (to<br>
> generate a<br>
> > better fake certificate).<br>
> ><br>
> > For the next step, try comparing the fake certificate that causes<br>
> > SEC_ERROR_BAD_SIGNATURE with the fake same-site certificate<br>
> that works<br>
> > after you whitelist the problematic site. The browser should<br>
> allow you<br>
> > to view both certificates. You can download them and use<br>
> certificate<br>
> > printing tools like "openssl x509 -noout -text -in ..." to<br>
> compare two<br>
> > certificate printouts.<br>
> ><br>
> > HTH,<br>
> ><br>
> > Alex.<br>
> ><br>
> ><br>
> > > On Wed, 19 May 2021 at 13:54, robert k Wild wrote:<br>
> > ><br>
> > > hi all,<br>
> > ><br>
> > > i have squid 4.15<br>
> > ><br>
> > > i have imported my self signed cert on firefox and now i can<br>
> > access<br>
> > > https website (where as before i got a software is<br>
> preventing this<br>
> > > website from opening)<br>
> > ><br>
> > > but on some websites i get an error saying<br>
> > ><br>
> > > secure connection failed<br>
> > > Error code: SEC_ERROR_BAD_SIGNATURE<br>
> > ><br>
> > > i attach my ssl bump conf in my squid.conf file<br>
> > ><br>
> > > #SSL Bump<br>
> > > http_port 3128 ssl-bump<br>
> > cert=/usr/local/squid/etc/ssl_cert/myCA.pem<br>
> > > generate-host-certificates=on<br>
> dynamic_cert_mem_cache_size=4MB<br>
> > > <br>
> > <br>
> cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS<br>
> > > sslcrtd_program<br>
> /usr/local/squid/libexec/security_file_certgen -s<br>
> > > /var/lib/ssl_db -M 4MB<br>
> > > acl step1 at_step SslBump1<br>
> > > ssl_bump peek step1<br>
> > > ssl_bump bump all<br>
> > ><br>
> > > is there anything wrong you can see, i have tried to<br>
> make a new CA<br>
> > > but error still occures<br>
> > ><br>
> > > thanks,<br>
> > > rob<br>
> > ><br>
> > > --<br>
> > > Regards,<br>
> > ><br>
> > > Robert K Wild.<br>
> > ><br>
> > ><br>
> > ><br>
> > > --<br>
> > > Regards,<br>
> > ><br>
> > > Robert K Wild.<br>
> > ><br>
> > > _______________________________________________<br>
> > > squid-users mailing list<br>
> > > <a href="mailto:squid-users@lists.squid-cache.org" rel="noreferrer noreferrer" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <mailto:<a href="mailto:squid-users@lists.squid-cache.org" rel="noreferrer noreferrer" target="_blank">squid-users@lists.squid-cache.org</a>><br>
> > <mailto:<a href="mailto:squid-users@lists.squid-cache.org" rel="noreferrer noreferrer" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <mailto:<a href="mailto:squid-users@lists.squid-cache.org" rel="noreferrer noreferrer" target="_blank">squid-users@lists.squid-cache.org</a>>><br>
> > > <a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer noreferrer noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
> <<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer noreferrer noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a>><br>
> > <<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer noreferrer noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
> <<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer noreferrer noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a>>><br>
> > ><br>
> ><br>
> > _______________________________________________<br>
> > squid-users mailing list<br>
> > <a href="mailto:squid-users@lists.squid-cache.org" rel="noreferrer noreferrer" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <mailto:<a href="mailto:squid-users@lists.squid-cache.org" rel="noreferrer noreferrer" target="_blank">squid-users@lists.squid-cache.org</a>><br>
> > <mailto:<a href="mailto:squid-users@lists.squid-cache.org" rel="noreferrer noreferrer" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <mailto:<a href="mailto:squid-users@lists.squid-cache.org" rel="noreferrer noreferrer" target="_blank">squid-users@lists.squid-cache.org</a>>><br>
> > <a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer noreferrer noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
> <<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer noreferrer noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a>><br>
> > <<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer noreferrer noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
> <<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer noreferrer noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a>>><br>
> ><br>
> <br>
<br>
</blockquote></div>
</blockquote></div>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr">Regards, <br><br>Robert K Wild.<br></div></div>