[squid-users] squid self signed cert error on some websites

Alex Rousskov rousskov at measurement-factory.com
Wed May 19 18:12:21 UTC 2021


On 5/19/21 10:41 AM, robert k Wild wrote:
> ok i found out what the error is
> 
> its because in my squid.conf, i have a whitelist file
> 
> #HTTP_HTTPS whitelist websites
> acl whitelist ssl::server_name "/usr/local/squid/etc/urlwhite.txt"
> http_access allow activation whitelist
> http_access deny all
> 
> once i added the url to that file, it worked
> 
> but surely, instead of giving me an error saying
> 
> secure connection failed
> Error code: SEC_ERROR_BAD_SIGNATURE
> 
> it should be the default error ie
> 
> The following error was encountered while trying to retrieve the URL:
> https://blah.blah <https://blah.blah>
> 
>     Access Denied.
> 
> how can i change this please

The answer depends on _why_ you get that SEC_ERROR_BAD_SIGNATURE error.

If Squid does not have enough information to properly bump your client
connection, then there may be no bumping-based solution at all (e.g.
when the client is using certificate pinning), or you would have to bump
at step2 when more information is available to Squid (to generate a
better fake certificate).

For the next step, try comparing the fake certificate that causes
SEC_ERROR_BAD_SIGNATURE with the fake same-site certificate that works
after you whitelist the problematic site. The browser should allow you
to view both certificates. You can download them and use certificate
printing tools like "openssl x509 -noout -text -in ..." to compare two
certificate printouts.

HTH,

Alex.


> On Wed, 19 May 2021 at 13:54, robert k Wild wrote:
> 
>     hi all,
> 
>     i have squid 4.15
> 
>     i have imported my self signed cert on firefox and now i can access
>     https website (where as before i got a software is preventing this
>     website from opening)
> 
>     but on some websites i get an error saying
> 
>     secure connection failed
>     Error code: SEC_ERROR_BAD_SIGNATURE
> 
>     i attach my ssl bump conf in my squid.conf file
> 
>     #SSL Bump
>     http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
>     generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>     cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
>     sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
>     /var/lib/ssl_db -M 4MB
>     acl step1 at_step SslBump1
>     ssl_bump peek step1
>     ssl_bump bump all
> 
>     is there anything wrong you can see, i have tried to make a new CA
>     but error still occures
> 
>     thanks,
>     rob
> 
>     -- 
>     Regards,
> 
>     Robert K Wild.
> 
> 
> 
> -- 
> Regards,
> 
> Robert K Wild.
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 



More information about the squid-users mailing list