On 21/11/17 14:31, 赵 俊 wrote:
Hello,I configured https_port in squid.conf . However when I access
https websites using Firefox,it shows "Your connection is not secure" .
The error like this:
www.amazon.com <http://www.amazon.com> used an invalid security
certificate.
This certificate is valid for 23.13.186.212 only.
Error code: SSL_ERROR_BAD_CERT_DOMAIN
My CA produced by openssl is a Self-signed certificate.
There are two poitns of brokenness here.
Firstly, has your Firefox been configured with the DER certificate of
that CA so that it trusts your CA?
Without that Firefox will not trust *any* certs generated by your Squid.
Here is my squid.conf:
https_port 192.168.51.200:3129 intercept ssl-bump connection-auth=off
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/usr/local/squid/ssl_cert/myCA.pem
key=/usr/local/squid/ssl_cert/myCA.pem
acl ssl_step1 at_step SslBump1
acl ssl_step2 at_step SslBump2
acl ssl_step3 at_step SslBump3
ssl_bump bump all
Secondly, the above configures Squid to auto-generate the server
certificate with zero details from the real server AND zero details from
the client TLS handshake.
All Squid has to work with at that point is the raw-IP which the client
used to connect the TCP connection underneath everything. So of course
that is what the cert will be bound to.
Have you read this page to learn the bare basics about what is going on?
<https://wiki.squid-cache.org/Features/SslPeekAndSplice>
I know the page looks long, but that is the minimal details you need to
know about TLS and the Squid SSL-Bump features.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
