The answer why you only see it on Chrome is because since Chrome >= 41:
"Sites with end-entity certificates that expire on or after 1 January 2017, and which include a SHA-1-based signature as part of the certificate chain, will be treated as “affirmatively insecure”. Subresources from such domain will be treated as “active mixed content”."
Best regards
On Wed, Aug 31, 2016 at 5:24 PM, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 08/31/2016 09:15 AM, Amos Jeffries wrote:
> On 1/09/2016 2:26 a.m., erdosain9 wrote:
>> Hi.
>> Im using ssl-bump.. all ir working fine, but i want to know if it is
>> possible that which is not seen crossed out and red "https".
>> This happen just in Chrome
>> This page is insecure (broken HTTPS)
>> SHA-1 Certificate
>> The certificate for this site expires in 2017 or later, and the certificate
>> chain contains a certificate signed using SHA-1.
Sounds like you are running an old Squid version.
> This requires changes to the certificate generator used by SSL-Bump.
> IIRC there were some patches, but I can't find them right now in the
> changesets. If the issue exists in current releases then please ask on
> squid-dev.
See http://www.squid-cache.org/Doc/config/sslproxy_cert_sign_ hash/
> Of course, its possible the site realy does have a SHA1 certificate and
> Squid is just passing on the real details. The mimic feature is designed
> to ensure TLS is actually transparent as best we can manage.
I have not checked, but I doubt we mimic the signing algorithm (because
it would make client-Squid communication less secure?). If we do, we
should update the wiki page that lists what is being mimicked.
HTH,
Alex.
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
--------
Diogenes S. de Jesus
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
