Search squid archive

Re: Squid 4.0.10 https intercept

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I create cert:
openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout squidCA.pem -out squidCA.pem 

And export it:

openssl x509 -in squidCA.pem -outform DER -out squidCA.crt

Wrong?



Amos Jeffries писал 2016-05-11 17:18:


On 11/05/2016 11:59 p.m., admin wrote:


I just thought! I runs the

openssl x509 -in squidCA.pem -outform DER -out squidCA.crt

import cert and now get ERR_CERT_COMMON_NAME_INVALID

where did I go wrong?


Hmm. I'm not sure that one is you. If it is getting past the CA trust
check then what you did earlier was okay.

This one sounds like either the CA was generated with something for CN
field that was not right. Or that the cert generated by Squid is broken
in that way.

There are two reasons the Squid generated cert might be broken. In this
order of relevance:

1) the server the client was tryign to contact had a broken cert. Mimic
feature in Squid will copy cert breakages so the client can make its
security decisions on as fully accurate information as possible.

2) a bug in Squid.

Some more research to find out what exactly is being identified as
invalid, and where it comes from will be needed to discover whch case is 
relevant.

Amos

Amos Jeffries писал 2016-05-11 16:43:

On 11/05/2016 6:35 p.m., Компания АйТи Крауд wrote:

hi!

I use squid 4.0.10 in INTERCEPT mode. If I deny some users
(ip-addresses) with

acl users_no_inet src "/etc/squid/ip-groups/no-inet"
http_access deny users_no_inet

ERR_ACCESS_DENIED is displayed then go to HTTP. If go to HTTPS then
first I see browser's NET::ERR_CERT_AUTHORITY_INVALID, and then click
"unsecure" see ERR_ACCESS_DENIED.

How to make that right display ERR_ACCESS_DENIED on HTTPS for deny user
in Squid 4.0 ?
What you describe above is correct behaviour. The browser does not trust 
your proxy's CA.

The only way to get around the browser warning about TLS security issue
is to install the CA used by the proxy into the browser trusted CA set.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux