On 28/06/18 05:55, Amit Pasari - XS INFOSOL Inc. USA wrote: > On 6/27/18 11:20 PM, Amit Pasari - XS INFOSOL Inc. USA wrote: >> Dear Walter , >> >> I use >> >> sslproxy_cert_sign_hash sha256 >> >> and use a SHA-256 certificate >> >> The result is still the same . >> >> "NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM" Based on <https://bugs.chromium.org/p/chromium/issues/detail?id=655318> v67 may have moved on to SHA-512 now, or this site be using SHA-386. Is there any way you can debug *which* certificate in the certificate chain is producing that error? It could be the server cert, or an intermediary, or the root CA. Also, there are other uses of signatures in TLS/SSL that you could check. eg the signature on serverHello messages. The error does point at certs, but all Browsers have a history of wrongly re-using error messages for only slightly related things at times if their translators did not produce new texts fast enough for their release cycle. >> >> Also one more thing , when i open yahoo.com with any of those >> certificates in CHROME , the content of yahoo comes inline i,e without >> any CSS etc ... >> This may be a side effect of the same issue affecting separate connections those background objects are fetched over. OR, it could e something completely unrelated. They are not use-visible so error messages not as clearly "in your face". Either way concentrate on one problem at a time. >> One more strange thing i noticed , when i browse using Firefox , >> safari , IE , all URLs are coming in squid/access.log where as when i >> use CHROME only few IPs comes in access logs with CONNECT on 443 . Not strange at all. Different browsers/clients do different things. You only get the decrypted messages if you successfully decrypted them. >> >> I also noticed with using CHROME the below type of requests : >> POST >> http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certs >> I suggest you look that domain and/or URL up. What its used for impacts your ability to perform SSL-Bump. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users