Ok, finally got the certificate installed properly and can proxy some https sites (gmail, google) but I get an error when going to a bank website.....
NET::ERR_CERT_COMMON_NAME_INVALID
when I created the certificate, I purposefully left the common name blank as per several articles on ssl_bump. So I'm assuming it's complaining about the CN generated by squid/ssl_bump?
On Mon, Oct 13, 2014 at 9:22 AM, Robert Watson <robert@xxxxxxxxxxxxxxx> wrote:
Ok, finally got the certificate installed properly and can proxy some https sites (gmail, google) but I get an error when going to a bank website.....NET::ERR_CERT_COMMON_NAME_INVALIDwhen I created the certificate, I purposefully left the common name blank as per several articles on ssl_bump. So I'm assuming it's complaining about the CN generated by squid/ssl_bump?On Mon, Oct 6, 2014 at 12:39 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 6/10/2014 4:24 p.m., Robert Watson wrote:
> still trying to get this working. To eliminate the self signed
> certificate issue, I got a official signed certificate from
> Starfield Tech. LLC. They've sent two certifcates but I'm unsure
> how to use these certificates since the ssl_bump parameters only
> have one certificate as a parameter
The CA is very unlikely to be issuing you certificates capable of use
in Squid in the way intended. It is illegal for a trusted root CA to
do so in the country they are registered. Besides that it is downright
foolish for them to give up their trust reputation. Look at what
happened to DigiNotar.
The point of self-signed is that _your Squid_ is the root CA signer.
The ssl-bump feature in current Squid makes parameter cert= take the
self-signed CA certificate in PEM format. Squid generates the rest of
the certificte chain as necessary.
>
> On Sun, Oct 5, 2014 at 8:52 AM, Eliezer Croitoru wrote:
>
> On 10/05/2014 01:22 PM, Amos Jeffries wrote:
>>>> MSIE 11 seems to be growing in popularity for some reason
>>>> ;-)
>>>>
>>>> Amos
>
> And Still there is:
> http://bugs.squid-cache.org/show_bug.cgi?id=4115
>
> For now I am using ssl_crtd of 3.4.5 for google ssl bump to work.
>
> Eliezer
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUMkdGAAoJELJo5wb/XPRjygMH/Rk0EYwCgluL1YCWNa8cTZHN
RkPNY1fTbe7U0ioB7J69KTJ07XH8sy0w9bChB5s/siodi3WD8ogZ3VdtEYxcqjf1
9yhb771Il3IiVaAiuF62FHWTEHjwHwTcBVR7/cDxigPW2VuSyyhZsdA8ayl1ZUXO
jW44IH5g0Sja7KVJAfS67AANG4Sp4vMh1rGdXpbP8Bq8QGposL3viGh51z3k6/OP
Dok8oVIsIluICLc8sLAKJbJwaBYSh0SLBrnNUv0Yl6+MtAFNfViXJGa3OfRG5ucQ
aTS9Be4vzJthVdV1+tTtqubCvjrYB7PqQcfL9VzA4UlvQovgPDAnVMO074Kyjug=
=k3K8
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
