On 05/18/2017 11:40 AM, chcs wrote: > HTTPS/SSL Interception , Enable SSL filtering, splice all, CA: Let's Encript autority > One more cuestion: > With 2 CA differents certificates to block twitter.com >> differents results > > Issuer: self-signed 0 10.0.0.100 TAG_NONE/403 4709 GET > https://www.twitter.com/ - HIER_NONE/- text/html > Result: no problem, it's show me squid custom error page > > Issuer: Let's encript 0 10.0.0.100 TCP_DENIED/403 4714 CONNECT > www.twitter.com:443 - HIER_NONE/- text/html > Result: It doesnt show me squid custom error page Let's Encrypt does not issue CA certificates. You need a CA certificate for an SslBump setup to work for more than one site. Let's Encrypt also does not issue leaf certificates for www.twitter.com unless you control www.twitter.com. When you generated a self-signed certificate, you probably generated a CA certificate. If you did not, then you will encounter problems if you try to import that certificate in browsers/clients that require CA certificates. See the OpenSSL command below for one way to check what you have generated. CA certificates have an x509 "Basic Constraints" extension with a CA:TRUE constraint. For example: > $ openssl x509 -in CA-priv+pub.pem -text -noout | fgrep -A 1 'Basic' > X509v3 Basic Constraints: > CA:TRUE HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
