[squid-users] Squid 4.0.10 https intercept

admin admin at tisiz72.ru
Thu May 12 03:00:56 UTC 2016


I create cert:

openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout 
squidCA.pem -out squidCA.pem

And export it:

openssl x509 -in squidCA.pem -outform DER -out squidCA.crt

Wrong?



Amos Jeffries писал 2016-05-11 17:18:

> On 11/05/2016 11:59 p.m., admin wrote:
> 
>> I just thought! I runs the
>> 
>> openssl x509 -in squidCA.pem -outform DER -out squidCA.crt
>> 
>> import cert and now get ERR_CERT_COMMON_NAME_INVALID
>> 
>> where did I go wrong?
> 
> Hmm. I'm not sure that one is you. If it is getting past the CA trust
> check then what you did earlier was okay.
> 
> This one sounds like either the CA was generated with something for CN
> field that was not right. Or that the cert generated by Squid is broken
> in that way.
> 
> There are two reasons the Squid generated cert might be broken. In this
> order of relevance:
> 
> 1) the server the client was tryign to contact had a broken cert. Mimic
> feature in Squid will copy cert breakages so the client can make its
> security decisions on as fully accurate information as possible.
> 
> 2) a bug in Squid.
> 
> Some more research to find out what exactly is being identified as
> invalid, and where it comes from will be needed to discover whch case 
> is
> relevant.
> 
> Amos
> 
> Amos Jeffries писал 2016-05-11 16:43:
> 
> On 11/05/2016 6:35 p.m., Компания АйТи Крауд wrote:
> 
> hi!
> 
> I use squid 4.0.10 in INTERCEPT mode. If I deny some users
> (ip-addresses) with
> 
> acl users_no_inet src "/etc/squid/ip-groups/no-inet"
> http_access deny users_no_inet
> 
> ERR_ACCESS_DENIED is displayed then go to HTTP. If go to HTTPS then
> first I see browser's NET::ERR_CERT_AUTHORITY_INVALID, and then click
> "unsecure" see ERR_ACCESS_DENIED.
> 
> How to make that right display ERR_ACCESS_DENIED on HTTPS for deny user
> in Squid 4.0 ?
> What you describe above is correct behaviour. The browser does not 
> trust
> your proxy's CA.
> 
> The only way to get around the browser warning about TLS security issue
> is to install the CA used by the proxy into the browser trusted CA set.
> 
> Amos
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


More information about the squid-users mailing list