[squid-users] Squid 4.0.10 https intercept
admin
admin at tisiz72.ru
Thu May 12 03:00:56 UTC 2016
I create cert:
openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout
squidCA.pem -out squidCA.pem
And export it:
openssl x509 -in squidCA.pem -outform DER -out squidCA.crt
Wrong?
Amos Jeffries писал 2016-05-11 17:18:
> On 11/05/2016 11:59 p.m., admin wrote:
>
>> I just thought! I runs the
>>
>> openssl x509 -in squidCA.pem -outform DER -out squidCA.crt
>>
>> import cert and now get ERR_CERT_COMMON_NAME_INVALID
>>
>> where did I go wrong?
>
> Hmm. I'm not sure that one is you. If it is getting past the CA trust
> check then what you did earlier was okay.
>
> This one sounds like either the CA was generated with something for CN
> field that was not right. Or that the cert generated by Squid is broken
> in that way.
>
> There are two reasons the Squid generated cert might be broken. In this
> order of relevance:
>
> 1) the server the client was tryign to contact had a broken cert. Mimic
> feature in Squid will copy cert breakages so the client can make its
> security decisions on as fully accurate information as possible.
>
> 2) a bug in Squid.
>
> Some more research to find out what exactly is being identified as
> invalid, and where it comes from will be needed to discover whch case
> is
> relevant.
>
> Amos
>
> Amos Jeffries писал 2016-05-11 16:43:
>
> On 11/05/2016 6:35 p.m., Компания АйТи Крауд wrote:
>
> hi!
>
> I use squid 4.0.10 in INTERCEPT mode. If I deny some users
> (ip-addresses) with
>
> acl users_no_inet src "/etc/squid/ip-groups/no-inet"
> http_access deny users_no_inet
>
> ERR_ACCESS_DENIED is displayed then go to HTTP. If go to HTTPS then
> first I see browser's NET::ERR_CERT_AUTHORITY_INVALID, and then click
> "unsecure" see ERR_ACCESS_DENIED.
>
> How to make that right display ERR_ACCESS_DENIED on HTTPS for deny user
> in Squid 4.0 ?
> What you describe above is correct behaviour. The browser does not
> trust
> your proxy's CA.
>
> The only way to get around the browser warning about TLS security issue
> is to install the CA used by the proxy into the browser trusted CA set.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list