[squid-users] Squid custom error page
Alex Rousskov
rousskov at measurement-factory.com
Thu May 18 18:42:15 UTC 2017
On 05/18/2017 11:40 AM, chcs wrote:
> HTTPS/SSL Interception , Enable SSL filtering, splice all, CA: Let's Encript autority
> One more cuestion:
> With 2 CA differents certificates to block twitter.com >> differents results
>
> Issuer: self-signed 0 10.0.0.100 TAG_NONE/403 4709 GET
> https://www.twitter.com/ - HIER_NONE/- text/html
> Result: no problem, it's show me squid custom error page
>
> Issuer: Let's encript 0 10.0.0.100 TCP_DENIED/403 4714 CONNECT
> www.twitter.com:443 - HIER_NONE/- text/html
> Result: It doesnt show me squid custom error page
Let's Encrypt does not issue CA certificates. You need a CA certificate
for an SslBump setup to work for more than one site. Let's Encrypt also
does not issue leaf certificates for www.twitter.com unless you control
www.twitter.com.
When you generated a self-signed certificate, you probably generated a
CA certificate. If you did not, then you will encounter problems if you
try to import that certificate in browsers/clients that require CA
certificates. See the OpenSSL command below for one way to check what
you have generated.
CA certificates have an x509 "Basic Constraints" extension with a
CA:TRUE constraint. For example:
> $ openssl x509 -in CA-priv+pub.pem -text -noout | fgrep -A 1 'Basic'
> X509v3 Basic Constraints:
> CA:TRUE
HTH,
Alex.
More information about the squid-users
mailing list