Thanks Alex, I will do this tomorrow and let you know Thank you, have a great day
On Wed, 19 May 2021, 21:25 Alex Rousskov, <rouss...@measurement-factory.com> wrote: > On 5/19/21 4:20 PM, robert k Wild wrote: > > > When I don't add the website to the white list I can't view the cert > > What prevents you from viewing the certificate? Can you click on the > site information icon to the left of the browser Location(?) bar when > the error is displayed? If not, perhaps you can use FireFox built-in > "Web Developer Tools" (Ctrl-Shift-I on my machine) to get to the > certificate? I am not a browser expert, but there is usually a way to > see the certificate if the browser received it. > > If nothing works, can you try reproducing using curl or wget instead of > a browser? > > > > Or are you talking about turn the proxy off on Firefox and access the > > website normally? > > That would give you the third certificate to compare. > > Alex. > > > > On Wed, 19 May 2021, 21:05 Alex Rousskov, > > <rouss...@measurement-factory.com > > <mailto:rouss...@measurement-factory.com>> wrote: > > > > On 5/19/21 3:44 PM, robert k Wild wrote: > > > > > when i dont add it to the white list i cant view the website > > (obviously) > > > but can see the cert is provided by my squid (default company > ltd)...i > > > was lazy creating it but cant view the cert > > > > > > when i add it to the white list, i can view the website and the > cert > > > info and its def from my squid cert (default company ltd) as i see > the > > > valid dates ie before and after > > > > The difference between those two certificates, if any, may be able to > > explain the difference in browser behavior. It would also be useful > to > > compare those fake certificates with the real one. > > > > > > > i think i need to relax the ciphers in my squid.conf as some other > > https > > > websites i get the error page and i dont get the cert error message > > > > > > do you think relaxing the ciphers will work? > > > > Sorry, I do not know. Obviously, you can trivially check this theory. > > > > Alex. > > > > > > > On Wed, 19 May 2021, 19:12 Alex Rousskov wrote: > > > > > > On 5/19/21 10:41 AM, robert k Wild wrote: > > > > ok i found out what the error is > > > > > > > > its because in my squid.conf, i have a whitelist file > > > > > > > > #HTTP_HTTPS whitelist websites > > > > acl whitelist ssl::server_name > > "/usr/local/squid/etc/urlwhite.txt" > > > > http_access allow activation whitelist > > > > http_access deny all > > > > > > > > once i added the url to that file, it worked > > > > > > > > but surely, instead of giving me an error saying > > > > > > > > secure connection failed > > > > Error code: SEC_ERROR_BAD_SIGNATURE > > > > > > > > it should be the default error ie > > > > > > > > The following error was encountered while trying to retrieve > > the URL: > > > > https://blah.blah <https://blah.blah> <https://blah.blah > > <https://blah.blah>> <https://blah.blah <https://blah.blah> > > > <https://blah.blah <https://blah.blah>>> > > > > > > > > Access Denied. > > > > > > > > how can i change this please > > > > > > The answer depends on _why_ you get that > > SEC_ERROR_BAD_SIGNATURE error. > > > > > > If Squid does not have enough information to properly bump > > your client > > > connection, then there may be no bumping-based solution at all > > (e.g. > > > when the client is using certificate pinning), or you would > > have to bump > > > at step2 when more information is available to Squid (to > > generate a > > > better fake certificate). > > > > > > For the next step, try comparing the fake certificate that > causes > > > SEC_ERROR_BAD_SIGNATURE with the fake same-site certificate > > that works > > > after you whitelist the problematic site. The browser should > > allow you > > > to view both certificates. You can download them and use > > certificate > > > printing tools like "openssl x509 -noout -text -in ..." to > > compare two > > > certificate printouts. > > > > > > HTH, > > > > > > Alex. > > > > > > > > > > On Wed, 19 May 2021 at 13:54, robert k Wild wrote: > > > > > > > > hi all, > > > > > > > > i have squid 4.15 > > > > > > > > i have imported my self signed cert on firefox and now i > can > > > access > > > > https website (where as before i got a software is > > preventing this > > > > website from opening) > > > > > > > > but on some websites i get an error saying > > > > > > > > secure connection failed > > > > Error code: SEC_ERROR_BAD_SIGNATURE > > > > > > > > i attach my ssl bump conf in my squid.conf file > > > > > > > > #SSL Bump > > > > http_port 3128 ssl-bump > > > cert=/usr/local/squid/etc/ssl_cert/myCA.pem > > > > generate-host-certificates=on > > dynamic_cert_mem_cache_size=4MB > > > > > > > > > > cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS > > > > sslcrtd_program > > /usr/local/squid/libexec/security_file_certgen -s > > > > /var/lib/ssl_db -M 4MB > > > > acl step1 at_step SslBump1 > > > > ssl_bump peek step1 > > > > ssl_bump bump all > > > > > > > > is there anything wrong you can see, i have tried to > > make a new CA > > > > but error still occures > > > > > > > > thanks, > > > > rob > > > > > > > > -- > > > > Regards, > > > > > > > > Robert K Wild. > > > > > > > > > > > > > > > > -- > > > > Regards, > > > > > > > > Robert K Wild. > > > > > > > > _______________________________________________ > > > > squid-users mailing list > > > > squid-users@lists.squid-cache.org > > <mailto:squid-users@lists.squid-cache.org> > > > <mailto:squid-users@lists.squid-cache.org > > <mailto:squid-users@lists.squid-cache.org>> > > > > http://lists.squid-cache.org/listinfo/squid-users > > <http://lists.squid-cache.org/listinfo/squid-users> > > > <http://lists.squid-cache.org/listinfo/squid-users > > <http://lists.squid-cache.org/listinfo/squid-users>> > > > > > > > > > > _______________________________________________ > > > squid-users mailing list > > > squid-users@lists.squid-cache.org > > <mailto:squid-users@lists.squid-cache.org> > > > <mailto:squid-users@lists.squid-cache.org > > <mailto:squid-users@lists.squid-cache.org>> > > > http://lists.squid-cache.org/listinfo/squid-users > > <http://lists.squid-cache.org/listinfo/squid-users> > > > <http://lists.squid-cache.org/listinfo/squid-users > > <http://lists.squid-cache.org/listinfo/squid-users>> > > > > > > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
