[squid-users] HTTPS chrome - SHA1 this page is insecure
Alex Rousskov
rousskov at measurement-factory.com
Wed Aug 31 15:24:29 UTC 2016
On 08/31/2016 09:15 AM, Amos Jeffries wrote:
> On 1/09/2016 2:26 a.m., erdosain9 wrote:
>> Hi.
>> Im using ssl-bump.. all ir working fine, but i want to know if it is
>> possible that which is not seen crossed out and red "https".
>> This happen just in Chrome
>> This page is insecure (broken HTTPS)
>> SHA-1 Certificate
>> The certificate for this site expires in 2017 or later, and the certificate
>> chain contains a certificate signed using SHA-1.
Sounds like you are running an old Squid version.
> This requires changes to the certificate generator used by SSL-Bump.
> IIRC there were some patches, but I can't find them right now in the
> changesets. If the issue exists in current releases then please ask on
> squid-dev.
See http://www.squid-cache.org/Doc/config/sslproxy_cert_sign_hash/
> Of course, its possible the site realy does have a SHA1 certificate and
> Squid is just passing on the real details. The mimic feature is designed
> to ensure TLS is actually transparent as best we can manage.
I have not checked, but I doubt we mimic the signing algorithm (because
it would make client-Squid communication less secure?). If we do, we
should update the wiki page that lists what is being mimicked.
HTH,
Alex.
More information about the squid-users
mailing list