On 12/10/19 6:19 AM, aw_wolfe wrote: > I have squid 4.9 built with https support in which I created a certificate > following tutorial. Squid starts, appears to be running fine. http whitelist > with user groups working....trying to add https support. > > copy/paste from example of what I did to create certificate. > > openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions > v3_ca -keyout myCA.pem -out myCA.pem > > certtool --generate-privkey --outfile ca-key.pem > > certtool --generate-self-signed --load-privkey ca-key.pem --outfile myCA.pem You seem to be combining/overlapping two alternative ways to generate a CA certificate: OpenSSL and GnuTLS. To avoid surprises, I recommend using either one or another. I cannot speak for GnuTLS, but I know that the OpenSSL commands did work at some point in the past. > 1) problem when trying to import myCA.der certificate into firefox: "This is > not a certificate authority certificate, so it can’t be imported into the > certificate authority list" CA certificates have a "true" CA basic constraint. Double check that your certificate has a true CA extension: $ openssl x509 -in myCA.pem -noout -text | \ grep -A1 'Basic Constraints' X509v3 Basic Constraints: CA:TRUE By default, your modern browser or OS might not trust _you_ with deciding which CAs it should trust. If that is the case, you will need to find a way to bypass that built-in browser/OS "safety net". Modern browsers/OSes usually have a way to do that because their corporate/government clients require such workarounds. > 2) My goal is simply to whitelist sites, I do not have a need to view the > traffic. Is following ssl-bump examples the right/only approach or is easier > way to let the client connect directly, but preventing any connection except > if on the whitelist? FWIW, I do not understand what you mean by "let the client connect directly" and/or how that differs from some of the SslBump examples. Please detail that part. Today, the fake CA certificate is needed to enable SslBump. It will be used to report errors (including blocked access) to users. If you do not want to report any errors to users, then you do not need to import your CA certificate into browsers (but you still need to give that certificate to Squid -- it is a limitation of the current implementation). In this case, you should configure your Squid to terminate the from-client TLS connection on any error. Doing so may be difficult -- there is no single directive that can do that for you. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users