Thanks Alex, When I don't add the website to the white list I can't view the cert, so I cant download it and compare it with the one I can view/download when I do add it to the white list
Or are you talking about turn the proxy off on Firefox and access the website normally? Thanks, Rob On Wed, 19 May 2021, 21:05 Alex Rousskov, <rouss...@measurement-factory.com> wrote: > On 5/19/21 3:44 PM, robert k Wild wrote: > > > when i dont add it to the white list i cant view the website (obviously) > > but can see the cert is provided by my squid (default company ltd)...i > > was lazy creating it but cant view the cert > > > > when i add it to the white list, i can view the website and the cert > > info and its def from my squid cert (default company ltd) as i see the > > valid dates ie before and after > > The difference between those two certificates, if any, may be able to > explain the difference in browser behavior. It would also be useful to > compare those fake certificates with the real one. > > > > i think i need to relax the ciphers in my squid.conf as some other https > > websites i get the error page and i dont get the cert error message > > > > do you think relaxing the ciphers will work? > > Sorry, I do not know. Obviously, you can trivially check this theory. > > Alex. > > > > On Wed, 19 May 2021, 19:12 Alex Rousskov wrote: > > > > On 5/19/21 10:41 AM, robert k Wild wrote: > > > ok i found out what the error is > > > > > > its because in my squid.conf, i have a whitelist file > > > > > > #HTTP_HTTPS whitelist websites > > > acl whitelist ssl::server_name "/usr/local/squid/etc/urlwhite.txt" > > > http_access allow activation whitelist > > > http_access deny all > > > > > > once i added the url to that file, it worked > > > > > > but surely, instead of giving me an error saying > > > > > > secure connection failed > > > Error code: SEC_ERROR_BAD_SIGNATURE > > > > > > it should be the default error ie > > > > > > The following error was encountered while trying to retrieve the > URL: > > > https://blah.blah <https://blah.blah> <https://blah.blah > > <https://blah.blah>> > > > > > > Access Denied. > > > > > > how can i change this please > > > > The answer depends on _why_ you get that SEC_ERROR_BAD_SIGNATURE > error. > > > > If Squid does not have enough information to properly bump your > client > > connection, then there may be no bumping-based solution at all (e.g. > > when the client is using certificate pinning), or you would have to > bump > > at step2 when more information is available to Squid (to generate a > > better fake certificate). > > > > For the next step, try comparing the fake certificate that causes > > SEC_ERROR_BAD_SIGNATURE with the fake same-site certificate that > works > > after you whitelist the problematic site. The browser should allow > you > > to view both certificates. You can download them and use certificate > > printing tools like "openssl x509 -noout -text -in ..." to compare > two > > certificate printouts. > > > > HTH, > > > > Alex. > > > > > > > On Wed, 19 May 2021 at 13:54, robert k Wild wrote: > > > > > > hi all, > > > > > > i have squid 4.15 > > > > > > i have imported my self signed cert on firefox and now i can > > access > > > https website (where as before i got a software is preventing > this > > > website from opening) > > > > > > but on some websites i get an error saying > > > > > > secure connection failed > > > Error code: SEC_ERROR_BAD_SIGNATURE > > > > > > i attach my ssl bump conf in my squid.conf file > > > > > > #SSL Bump > > > http_port 3128 ssl-bump > > cert=/usr/local/squid/etc/ssl_cert/myCA.pem > > > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > > > > > > cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS > > > sslcrtd_program /usr/local/squid/libexec/security_file_certgen > -s > > > /var/lib/ssl_db -M 4MB > > > acl step1 at_step SslBump1 > > > ssl_bump peek step1 > > > ssl_bump bump all > > > > > > is there anything wrong you can see, i have tried to make a > new CA > > > but error still occures > > > > > > thanks, > > > rob > > > > > > -- > > > Regards, > > > > > > Robert K Wild. > > > > > > > > > > > > -- > > > Regards, > > > > > > Robert K Wild. > > > > > > _______________________________________________ > > > squid-users mailing list > > > squid-users@lists.squid-cache.org > > <mailto:squid-users@lists.squid-cache.org> > > > http://lists.squid-cache.org/listinfo/squid-users > > <http://lists.squid-cache.org/listinfo/squid-users> > > > > > > > _______________________________________________ > > squid-users mailing list > > squid-users@lists.squid-cache.org > > <mailto:squid-users@lists.squid-cache.org> > > http://lists.squid-cache.org/listinfo/squid-users > > <http://lists.squid-cache.org/listinfo/squid-users> > > > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
