[squid-users] Chrome 67 Issue with SSL Bump
Amos Jeffries
squid3 at treenet.co.nz
Wed Jun 27 18:27:22 UTC 2018
On 28/06/18 05:55, Amit Pasari - XS INFOSOL Inc. USA wrote:
> On 6/27/18 11:20 PM, Amit Pasari - XS INFOSOL Inc. USA wrote:
>> Dear Walter ,
>>
>> I use
>>
>> sslproxy_cert_sign_hash sha256
>>
>> and use a SHA-256 certificate
>>
>> The result is still the same .
>>
>> "NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM"
Based on <https://bugs.chromium.org/p/chromium/issues/detail?id=655318>
v67 may have moved on to SHA-512 now, or this site be using SHA-386.
Is there any way you can debug *which* certificate in the certificate
chain is producing that error?
It could be the server cert, or an intermediary, or the root CA.
Also, there are other uses of signatures in TLS/SSL that you could
check. eg the signature on serverHello messages. The error does point at
certs, but all Browsers have a history of wrongly re-using error
messages for only slightly related things at times if their translators
did not produce new texts fast enough for their release cycle.
>>
>> Also one more thing , when i open yahoo.com with any of those
>> certificates in CHROME , the content of yahoo comes inline i,e without
>> any CSS etc ...
>>
This may be a side effect of the same issue affecting separate
connections those background objects are fetched over. OR, it could e
something completely unrelated. They are not use-visible so error
messages not as clearly "in your face".
Either way concentrate on one problem at a time.
>> One more strange thing i noticed , when i browse using Firefox ,
>> safari , IE , all URLs are coming in squid/access.log where as when i
>> use CHROME only few IPs comes in access logs with CONNECT on 443 .
Not strange at all. Different browsers/clients do different things. You
only get the decrypted messages if you successfully decrypted them.
>>
>> I also noticed with using CHROME the below type of requests :
>> POST
>> http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certs
>>
I suggest you look that domain and/or URL up. What its used for impacts
your ability to perform SSL-Bump.
Amos
More information about the squid-users
mailing list