[squid-users] Squid custom error page

Alex Rousskov rousskov at measurement-factory.com
Thu May 18 18:42:15 UTC 2017


On 05/18/2017 11:40 AM, chcs wrote:

> HTTPS/SSL Interception , Enable SSL filtering, splice all, CA: Let's Encript autority

> One more cuestion:
> With 2 CA differents certificates to block twitter.com >> differents results 
> 
> Issuer: self-signed    0 10.0.0.100 TAG_NONE/403 4709 GET
> https://www.twitter.com/ - HIER_NONE/- text/html
> Result: no problem, it's show me squid custom error page
>  
> Issuer: Let's encript  0 10.0.0.100 TCP_DENIED/403 4714 CONNECT
> www.twitter.com:443 - HIER_NONE/- text/html
> Result: It doesnt show me squid custom error page

Let's Encrypt does not issue CA certificates. You need a CA certificate
for an SslBump setup to work for more than one site. Let's Encrypt also
does not issue leaf certificates for www.twitter.com unless you control
www.twitter.com.

When you generated a self-signed certificate, you probably generated a
CA certificate. If you did not, then you will encounter problems if you
try to import that certificate in browsers/clients that require CA
certificates. See the OpenSSL command below for one way to check what
you have generated.

CA certificates have an x509 "Basic Constraints" extension with a
CA:TRUE constraint. For example:

> $ openssl x509 -in CA-priv+pub.pem -text -noout | fgrep -A 1 'Basic'
>             X509v3 Basic Constraints: 
>                 CA:TRUE

HTH,

Alex.



More information about the squid-users mailing list