[squid-users] Strange behaviour with Chrome (client OS = WinXP x64) ...
Yuri Voinov
yvoinov at gmail.com
Sun Feb 1 18:16:20 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
01.02.2015 23:48, Walter H. пишет:
> Hello,
>
> can someone please try the following website with Google Chrome - I
use the latest release: Version 39.0.2171.99 m -
>
> https://banking.ing-diba.at/ (an electronic Banking site)
>
> with the following policy enabled:
>
> RequireOnlineRevocationChecksForLocalAnchors = 1
>
> with this banking site I get the following error from Google Chrome
>
> "Your connection is not private
>
> Attackers might be trying to steal your information from
banking.ing-diba.at (for example, passwords, messages, or credit cards)."
>
> with the following banking sites of other banks I have no troubles:
>
> https://ebanking.easybank.at/ or
> https://banking.raiffeisen.at/
>
> without enabling the policy above or not setting at all, this banking
site works, but
> the symbol it shows differs; it is the same as if a man-in-the-middle
like SSL-Bump would be between;
>
> Google chrome uses the same cert store as IE, and with IE there is no
connection problem,
> only another thing the banking site is telling: the browser is out
dated, of course IE 7
> the IE even shows a green bar when connecting to this banking site ...
>
> can someone please tell me what is there special with this banking
site: https://banking.ing-diba.at/ ?
>
> I'm using SSL bump with the exception of banking sites, the specific
part of the squid.conf
> looks like this:
>
> acl ssl_bump_domains_bankingsites dstdomain banking.raiffeisen.at
banking.ing-diba.at ebanking.easybank.at services.kepler.at
www.kepler.at www.rcb.at
> acl ssl_bump_domains_msftupdates dstdomain .update.microsoft.com
> ssl_bump none ssl_bump_domains_bankingsites
> ssl_bump none ssl_bump_domains_msftupdates
> ssl_bump server-first all
You do it wrong. You don't know site names BEFORE bump.
Just change acl for banking to dst (ip-based) type and list banking
sites IP.
> sslproxy_cert_error allow all
> sslproxy_cipher HIGH:MEDIUM:!AECDH:!ADH:!DSS:!SSLv2:+SSLv3:+3DES:!MD5
> sslproxy_flags DONT_VERIFY_PEER,NO_DEFAULT_CA
You can remove NO_DEFAULT_CA.
> sslproxy_options NO_SSLv2 NO_SSLv3
>
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/local/squid/ssl_db
-M 16MB
> sslcrtd_children 8
>
> http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=16MB cert=/etc/squid/cert/squid.pem
options=NO_SSLv2,SINGLE_DH_USE dhparams=/etc/squid/cert/dhparam.pem
Add capath parameter to your ssl-bump port. How you want to bump without
CA's public keys?
>
> # squid.pem contains both cert+key
>
> I'm using my own CA, this means this SSL-bump CA cert is signed by my
root CA certificate;
>
> what is missing, wrong, ... so that this one banking site will work ...?
>
> the SSL-bump CA certificate contain this:
>
> Authority Information Access:
> OCSP - URI:#url-to-ocsp#
> CA Issuers - URI:#url-to-root-cert#
>
> and
>
> X509v3 CRL Distribution Points:
> Full Name:
> URI:#url-to-crl#
>
> everything is working, the OCSP, the root-cert, and the CRL ...
>
> what causes Google Chrome producing the mentioned error above, when
activating this mentioned policy?
>
> the question to squid specialists: was it a good idea signing the
SSL-bump CA certificate with the root certificate of my CA?
No. But you can ask him. :) Tell us what he says. ;)
NP. In two words: You want to be RA. I.e., you can sign your signed (by
CA) root CA anything as trusted authority. Without actually being a
trusted RA
>
> Thanks
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJUzm1zAAoJENNXIZxhPexG0tgH/0PC7+RdzNml58s6vDl9eL8N
DeJuCjTkLUp2ZUXiFCOQ7S24VqfcegHUdnlin6Eghg5ksbHGFxQGEhRJbHr+HoWj
MXs4FKAv+i8SKSlFWtSTCZWNoOc3dLPYOetLHUmbF/RE6ymSUM+M8IVGpi/5r+I3
j8U+mCP58p6oBQ0iJykH85EB7IjS/U9Sx7L+tBsTiAqAuisC2yS0UqLwchVM+zeB
uf+YJSOZu3fzg+8ZutpVdwlKfdpQpC5mFKMscQ9v1A5D1cOcrPesiHfRod5XKA/Y
tLzDT/8jdkpBVb98GwfAbBh6cyfCRTey5aPIu3WopTh6SSi4vvqvuacLPFORCe0=
=Pqdl
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150202/c58b8200/attachment.html>
More information about the squid-users
mailing list