On 25/03/2014 4:29 a.m., Emmanuel LAZARO - S.IM.KO. wrote: > Hi again, > > In addition i can say this problem (sec_error_unknown_issuer) appears when i am using a "real" certificate from verisign who is well known by the web browser. > > I readed here : http://squid-web-proxy-cache.1019090.n4.nabble.com/Need-help-on-SSL-bump-and-certificate-chain-td4659421.html > > That i can't do what i want with a signed certificate from a known authority. > > So i try using a self signed certificate but it doesn't work with the error : sec_error_untrusted_issuer > This *is* working. The client has identified that your self-signed CA certificate is the authority for the dynamically created certificate. It just does not trust you, the "self" who signed it. The step beyond this is to get the client end-point to trust your self-signed CA certificate. Be careful here. Do this only for clients where it is actually legal to make trust your sertificate. Do not forget that what you are doing is a clear and blatant attack on both the client and web server security systems. There *are* things which thay can (and some do already) to prevent you succeeding. I suggest you also investigate the reason why VeriSign and other widely trusted CA refuse to counter-sign your self-signed CA certificate. That is behind what Alex said about using the VeriSign certificate. Amos > > > Le 24 mars 2014 à 11:48, Emmanuel LAZARO - S.IM.KO. <em.lazaro@xxxxxxxx> a écrit : > >> Hi all, >> >> I get on the web browsers : Code d'erreur : sec_error_unknown_issuer >> >> Can someone help me ? >> >> >> Le 19 mars 2014 à 08:53, Emmanuel LAZARO - S.IM.KO. <em.lazaro@xxxxxxxx> a écrit : >> >>> Hi all, >>> >>> I am using Squid 3.4.4 on debian wheezy compiling the sources. >>> >>> I am trying to configure squid as a transparent proxy using : >>> >>> https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/CertifSignature/SquidServeurVeriSign.pem key=/etc/squid3/CertifSignature/Squid.key >>> >>> The SquidServeurVeriSign.pem have been signed by verisign. >>> >>> How can i avoid the alerts on firefox or safari (i am in a mac osx environment) because the alerts are spoting on every https pages : >>> >>> "Connexion not certified >>> >>> You asked firefox to connect... we can't confirm the connexion is secured...website identity can't be verified." >>> >>> Sry for the translation... >>> >>> Can someone help me ? >>> >>> NB : I imported the root certificate in my firefox. >>> ------ >>> >>> LAZARO Emmanuel >> >
