[squid-users] squid self signed cert error on some websites

robert k Wild robertkwild at gmail.com
Wed May 19 20:34:28 UTC 2021 

Thanks Alex, I will do this tomorrow and let you know

Thank you, have a great day

On Wed, 19 May 2021, 21:25 Alex Rousskov, <rousskov at measurement-factory.com>
wrote:

> On 5/19/21 4:20 PM, robert k Wild wrote:
>
> > When I don't add the website to the white list I can't view the cert
>
> What prevents you from viewing the certificate? Can you click on the
> site information icon to the left of the browser Location(?) bar when
> the error is displayed? If not, perhaps you can use FireFox built-in
> "Web Developer Tools" (Ctrl-Shift-I on my machine) to get to the
> certificate? I am not a browser expert, but there is usually a way to
> see the certificate if the browser received it.
>
> If nothing works, can you try reproducing using curl or wget instead of
> a browser?
>
>
> > Or are you talking about turn the proxy off on Firefox and access the
> > website normally?
>
> That would give you the third certificate to compare.
>
> Alex.
>
>
> > On Wed, 19 May 2021, 21:05 Alex Rousskov,
> > <rousskov at measurement-factory.com
> > <mailto:rousskov at measurement-factory.com>> wrote:
> >
> >     On 5/19/21 3:44 PM, robert k Wild wrote:
> >
> >     > when i dont add it to the white list i cant view the website
> >     (obviously)
> >     > but can see the cert is provided by my squid (default company
> ltd)...i
> >     > was lazy creating it but cant view the cert
> >     >
> >     > when i add it to the white list, i can view the website and the
> cert
> >     > info and its def from my squid cert (default company ltd) as i see
> the
> >     > valid dates ie before and after
> >
> >     The difference between those two certificates, if any, may be able to
> >     explain the difference in browser behavior. It would also be useful
> to
> >     compare those fake certificates with the real one.
> >
> >
> >     > i think i need to relax the ciphers in my squid.conf as some other
> >     https
> >     > websites i get the error page and i dont get the cert error message
> >     >
> >     > do you think relaxing the ciphers will work?
> >
> >     Sorry, I do not know. Obviously, you can trivially check this theory.
> >
> >     Alex.
> >
> >
> >     > On Wed, 19 May 2021, 19:12 Alex Rousskov wrote:
> >     >
> >     >     On 5/19/21 10:41 AM, robert k Wild wrote:
> >     >     > ok i found out what the error is
> >     >     >
> >     >     > its because in my squid.conf, i have a whitelist file
> >     >     >
> >     >     > #HTTP_HTTPS whitelist websites
> >     >     > acl whitelist ssl::server_name
> >     "/usr/local/squid/etc/urlwhite.txt"
> >     >     > http_access allow activation whitelist
> >     >     > http_access deny all
> >     >     >
> >     >     > once i added the url to that file, it worked
> >     >     >
> >     >     > but surely, instead of giving me an error saying
> >     >     >
> >     >     > secure connection failed
> >     >     > Error code: SEC_ERROR_BAD_SIGNATURE
> >     >     >
> >     >     > it should be the default error ie
> >     >     >
> >     >     > The following error was encountered while trying to retrieve
> >     the URL:
> >     >     > https://blah.blah <https://blah.blah> <https://blah.blah
> >     <https://blah.blah>> <https://blah.blah <https://blah.blah>
> >     >     <https://blah.blah <https://blah.blah>>>
> >     >     >
> >     >     >     Access Denied.
> >     >     >
> >     >     > how can i change this please
> >     >
> >     >     The answer depends on _why_ you get that
> >     SEC_ERROR_BAD_SIGNATURE error.
> >     >
> >     >     If Squid does not have enough information to properly bump
> >     your client
> >     >     connection, then there may be no bumping-based solution at all
> >     (e.g.
> >     >     when the client is using certificate pinning), or you would
> >     have to bump
> >     >     at step2 when more information is available to Squid (to
> >     generate a
> >     >     better fake certificate).
> >     >
> >     >     For the next step, try comparing the fake certificate that
> causes
> >     >     SEC_ERROR_BAD_SIGNATURE with the fake same-site certificate
> >     that works
> >     >     after you whitelist the problematic site. The browser should
> >     allow you
> >     >     to view both certificates. You can download them and use
> >     certificate
> >     >     printing tools like "openssl x509 -noout -text -in ..." to
> >     compare two
> >     >     certificate printouts.
> >     >
> >     >     HTH,
> >     >
> >     >     Alex.
> >     >
> >     >
> >     >     > On Wed, 19 May 2021 at 13:54, robert k Wild wrote:
> >     >     >
> >     >     >     hi all,
> >     >     >
> >     >     >     i have squid 4.15
> >     >     >
> >     >     >     i have imported my self signed cert on firefox and now i
> can
> >     >     access
> >     >     >     https website (where as before i got a software is
> >     preventing this
> >     >     >     website from opening)
> >     >     >
> >     >     >     but on some websites i get an error saying
> >     >     >
> >     >     >     secure connection failed
> >     >     >     Error code: SEC_ERROR_BAD_SIGNATURE
> >     >     >
> >     >     >     i attach my ssl bump conf in my squid.conf file
> >     >     >
> >     >     >     #SSL Bump
> >     >     >     http_port 3128 ssl-bump
> >     >     cert=/usr/local/squid/etc/ssl_cert/myCA.pem
> >     >     >     generate-host-certificates=on
> >     dynamic_cert_mem_cache_size=4MB
> >     >     >
> >     >
> >
>    cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
> >     >     >     sslcrtd_program
> >     /usr/local/squid/libexec/security_file_certgen -s
> >     >     >     /var/lib/ssl_db -M 4MB
> >     >     >     acl step1 at_step SslBump1
> >     >     >     ssl_bump peek step1
> >     >     >     ssl_bump bump all
> >     >     >
> >     >     >     is there anything wrong you can see, i have tried to
> >     make a new CA
> >     >     >     but error still occures
> >     >     >
> >     >     >     thanks,
> >     >     >     rob
> >     >     >
> >     >     >     --
> >     >     >     Regards,
> >     >     >
> >     >     >     Robert K Wild.
> >     >     >
> >     >     >
> >     >     >
> >     >     > --
> >     >     > Regards,
> >     >     >
> >     >     > Robert K Wild.
> >     >     >
> >     >     > _______________________________________________
> >     >     > squid-users mailing list
> >     >     > squid-users at lists.squid-cache.org
> >     <mailto:squid-users at lists.squid-cache.org>
> >     >     <mailto:squid-users at lists.squid-cache.org
> >     <mailto:squid-users at lists.squid-cache.org>>
> >     >     > http://lists.squid-cache.org/listinfo/squid-users
> >     <http://lists.squid-cache.org/listinfo/squid-users>
> >     >     <http://lists.squid-cache.org/listinfo/squid-users
> >     <http://lists.squid-cache.org/listinfo/squid-users>>
> >     >     >
> >     >
> >     >     _______________________________________________
> >     >     squid-users mailing list
> >     >     squid-users at lists.squid-cache.org
> >     <mailto:squid-users at lists.squid-cache.org>
> >     >     <mailto:squid-users at lists.squid-cache.org
> >     <mailto:squid-users at lists.squid-cache.org>>
> >     >     http://lists.squid-cache.org/listinfo/squid-users
> >     <http://lists.squid-cache.org/listinfo/squid-users>
> >     >     <http://lists.squid-cache.org/listinfo/squid-users
> >     <http://lists.squid-cache.org/listinfo/squid-users>>
> >     >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210519/24862b9d/attachment.htm>

More information about the squid-users mailing list