-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 01.02.2015 23:48, Walter H. пишет: > Hello, > > can someone please try the following website with Google Chrome - I use the latest release: Version 39.0.2171.99 m - > > https://banking.ing-diba.at/ (an electronic Banking site) > > with the following policy enabled: > > RequireOnlineRevocationChecksForLocalAnchors = 1 > > with this banking site I get the following error from Google Chrome > > "Your connection is not private > > Attackers might be trying to steal your information from banking.ing-diba.at (for example, passwords, messages, or credit cards)." > > with the following banking sites of other banks I have no troubles: > > https://ebanking.easybank.at/ or > https://banking.raiffeisen.at/ > > without enabling the policy above or not setting at all, this banking site works, but > the symbol it shows differs; it is the same as if a man-in-the-middle like SSL-Bump would be between; > > Google chrome uses the same cert store as IE, and with IE there is no connection problem, > only another thing the banking site is telling: the browser is out dated, of course IE 7 > the IE even shows a green bar when connecting to this banking site ... > > can someone please tell me what is there special with this banking site: https://banking.ing-diba.at/ ? > > I'm using SSL bump with the exception of banking sites, the specific part of the squid.conf > looks like this: > > acl ssl_bump_domains_bankingsites dstdomain banking.raiffeisen.at banking.ing-diba.at ebanking.easybank.at services.kepler.at www.kepler.at www.rcb.at > acl ssl_bump_domains_msftupdates dstdomain .update.microsoft.com > ssl_bump none ssl_bump_domains_bankingsites > ssl_bump none ssl_bump_domains_msftupdates > ssl_bump server-first all You do it wrong. You don't know site names BEFORE bump. Just change acl for banking to dst (ip-based) type and list banking sites IP. > sslproxy_cert_error allow all > sslproxy_cipher HIGH:MEDIUM:!AECDH:!ADH:!DSS:!SSLv2:+SSLv3:+3DES:!MD5 > sslproxy_flags DONT_VERIFY_PEER,NO_DEFAULT_CA You can remove NO_DEFAULT_CA. > sslproxy_options NO_SSLv2 NO_SSLv3 > > sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/local/squid/ssl_db -M 16MB > sslcrtd_children 8 > > http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/cert/squid.pem options=NO_SSLv2,SINGLE_DH_USE dhparams=/etc/squid/cert/dhparam.pem Add capath parameter to your ssl-bump port. How you want to bump without CA's public keys? > > # squid.pem contains both cert+key > > I'm using my own CA, this means this SSL-bump CA cert is signed by my root CA certificate; > > what is missing, wrong, ... so that this one banking site will work ...? > > the SSL-bump CA certificate contain this: > > Authority Information Access: > OCSP - URI:#url-to-ocsp# > CA Issuers - URI:#url-to-root-cert# > > and > > X509v3 CRL Distribution Points: > Full Name: > URI:#url-to-crl# > > everything is working, the OCSP, the root-cert, and the CRL ... > > what causes Google Chrome producing the mentioned error above, when activating this mentioned policy? > > the question to squid specialists: was it a good idea signing the SSL-bump CA certificate with the root certificate of my CA? No. But you can ask him. :) Tell us what he says. ;) NP. In two words: You want to be RA. I.e., you can sign your signed (by CA) root CA anything as trusted authority. Without actually being a trusted RA > > Thanks > > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJUzm1zAAoJENNXIZxhPexG0tgH/0PC7+RdzNml58s6vDl9eL8N DeJuCjTkLUp2ZUXiFCOQ7S24VqfcegHUdnlin6Eghg5ksbHGFxQGEhRJbHr+HoWj MXs4FKAv+i8SKSlFWtSTCZWNoOc3dLPYOetLHUmbF/RE6ymSUM+M8IVGpi/5r+I3 j8U+mCP58p6oBQ0iJykH85EB7IjS/U9Sx7L+tBsTiAqAuisC2yS0UqLwchVM+zeB uf+YJSOZu3fzg+8ZutpVdwlKfdpQpC5mFKMscQ9v1A5D1cOcrPesiHfRod5XKA/Y tLzDT/8jdkpBVb98GwfAbBh6cyfCRTey5aPIu3WopTh6SSi4vvqvuacLPFORCe0= =Pqdl -----END PGP SIGNATURE----- |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users