[squid-users] getting sslbump cert errors on major sites

Jason Haar Jason_Haar at trimble.com
Thu Oct 2 23:09:24 UTC 2014


Hi there

I'm using sslbump and I just got blocked logging into hotmail for the
first time (yeah, slumming it ;-)

The cert is for bay181.mail.live.com, and squid is generating a "CN=Not
trusted by xxxxx" type cert, as I assume it wasn't signed by a CA that
squid knew about?

I whitelisted live.com (ie don't bump it any more) and the problem goes
away for Firefox

I'm running Ubuntu 14.04, so does this mean that the db of CA's Ubuntu
trusts does not include the same CA-chain that browsers do?

ie, I have

http_port 3128 ssl-bump cert=/usr/local/squid/etc/squidCA.cert 
capath=/etc/ssl/certs/

so this means the CA's Ubuntu lists in /etc/ssl/certs/  is "out of date"
compared with Firefox?

Really a rhetorical question, just kinda wanting to know about where
sslbump will run into trouble, etc :-)

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1



More information about the squid-users mailing list