Hello, can someone please try the following website with Google Chrome - I use the latest release: Version 39.0.2171.99 m - https://banking.ing-diba.at/ (an electronic Banking site) with the following policy enabled: RequireOnlineRevocationChecksForLocalAnchors = 1 with this banking site I get the following error from Google Chrome "Your connection is not private Attackers might be trying to steal your information from banking.ing-diba.at (for example, passwords, messages, or credit cards)." with the following banking sites of other banks I have no troubles: https://ebanking.easybank.at/ or https://banking.raiffeisen.at/ without enabling the policy above or not setting at all, this banking site works, but the symbol it shows differs; it is the same as if a man-in-the-middle like SSL-Bump would be between; Google chrome uses the same cert store as IE, and with IE there is no connection problem, only another thing the banking site is telling: the browser is out dated, of course IE 7 the IE even shows a green bar when connecting to this banking site ... can someone please tell me what is there special with this banking site: https://banking.ing-diba.at/ ? I'm using SSL bump with the exception of banking sites, the specific part of the squid.conf looks like this: acl ssl_bump_domains_bankingsites dstdomain banking.raiffeisen.at banking.ing-diba.at ebanking.easybank.at services.kepler.at www.kepler.at www.rcb.at acl ssl_bump_domains_msftupdates dstdomain .update.microsoft.com ssl_bump none ssl_bump_domains_bankingsites ssl_bump none ssl_bump_domains_msftupdates ssl_bump server-first all sslproxy_cert_error allow all sslproxy_cipher HIGH:MEDIUM:!AECDH:!ADH:!DSS:!SSLv2:+SSLv3:+3DES:!MD5 sslproxy_flags DONT_VERIFY_PEER,NO_DEFAULT_CA sslproxy_options NO_SSLv2 NO_SSLv3 sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/local/squid/ssl_db -M 16MB sslcrtd_children 8 http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/cert/squid.pem options=NO_SSLv2,SINGLE_DH_USE dhparams=/etc/squid/cert/dhparam.pem # squid.pem contains both cert+key I'm using my own CA, this means this SSL-bump CA cert is signed by my root CA certificate; what is missing, wrong, ... so that this one banking site will work ...? the SSL-bump CA certificate contain this: Authority Information Access: OCSP - URI:#url-to-ocsp# CA Issuers - URI:#url-to-root-cert# and X509v3 CRL Distribution Points: Full Name: URI:#url-to-crl# everything is working, the OCSP, the root-cert, and the CRL ... what causes Google Chrome producing the mentioned error above, when activating this mentioned policy? the question to squid specialists: was it a good idea signing the SSL-bump CA certificate with the root certificate of my CA? Thanks -- Best regards, Walter H. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5971 bytes Desc: S/MIME Cryptographic Signature URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150201/8ad5988b/attachment.bin>
