On 12/07/2017 08:05 AM, erdosain9 wrote: > Yes, Chrome tell this when i look the certificate > > "The certificate for this site does not contain a Subject Alternative Name > extension containing a domain name or IP address." That is not the only error reported by your Chrome, but you can try to solve one error at a time. The first step is to understand which certificate the browser is talking about. Is that a Squid-generated certificate or an origin server certificate? If it is a Squid-generated certificate, does it mimic an erroneous property of the origin server certificate? Or did Squid fail to (or decided not to) mimic something? The next step, for this specific error, would be to make sure that your Squid version has as fix for Bug 4711: > bug 4711: SubjectAlternativeNames is missing in some generated certificates > > Squid may generate certificates which have a Common Name, but do not have > a subjectAltName extension. For example when squid generated certificates > do not mimic an origin certificate or when the certificate adaptation > algorithm sslproxy_cert_adapt/setCommonName is used. > > This is causes problems to some browsers, which validates a certificate using > the SubjectAlternativeNames but ignore the CommonName field. > > This patch fixes squid to always add a SubjectAlternativeNames extension in > generated certificates which do not mimic an origin certificate. > > Squid still will not add a subjectAltName extension when mimicking an origin > server certificate, even if that origin server certificate does not include > the subjectAltName extension. Such origin server may have problems when > talking directly to browsers, and patched Squid is not trying to fix those > problems. > > This is a Measurement Factory project > > Fixes: http://bugs.squid-cache.org/show_bug.cgi?id=4711 fixed > Bzr-Reference: master r15131 If your Squid does not have the above fix, then it might explain the second problem reported by Chrome as well, provided the origin server certificate lacks any CN for Squid to mimic. > So, my certificate does not have a Subject Alternative Name. > But, this is not a problem with Firefox. Yes, different browsers (and different browser versions) may impose different requirements on certificates (and other traffic parameters). Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
