On 5/19/21 10:41 AM, robert k Wild wrote: > ok i found out what the error is > > its because in my squid.conf, i have a whitelist file > > #HTTP_HTTPS whitelist websites > acl whitelist ssl::server_name "/usr/local/squid/etc/urlwhite.txt" > http_access allow activation whitelist > http_access deny all > > once i added the url to that file, it worked > > but surely, instead of giving me an error saying > > secure connection failed > Error code: SEC_ERROR_BAD_SIGNATURE > > it should be the default error ie > > The following error was encountered while trying to retrieve the URL: > https://blah.blah <https://blah.blah> > > Access Denied. > > how can i change this please The answer depends on _why_ you get that SEC_ERROR_BAD_SIGNATURE error. If Squid does not have enough information to properly bump your client connection, then there may be no bumping-based solution at all (e.g. when the client is using certificate pinning), or you would have to bump at step2 when more information is available to Squid (to generate a better fake certificate). For the next step, try comparing the fake certificate that causes SEC_ERROR_BAD_SIGNATURE with the fake same-site certificate that works after you whitelist the problematic site. The browser should allow you to view both certificates. You can download them and use certificate printing tools like "openssl x509 -noout -text -in ..." to compare two certificate printouts. HTH, Alex. > On Wed, 19 May 2021 at 13:54, robert k Wild wrote: > > hi all, > > i have squid 4.15 > > i have imported my self signed cert on firefox and now i can access > https website (where as before i got a software is preventing this > website from opening) > > but on some websites i get an error saying > > secure connection failed > Error code: SEC_ERROR_BAD_SIGNATURE > > i attach my ssl bump conf in my squid.conf file > > #SSL Bump > http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS > sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s > /var/lib/ssl_db -M 4MB > acl step1 at_step SslBump1 > ssl_bump peek step1 > ssl_bump bump all > > is there anything wrong you can see, i have tried to make a new CA > but error still occures > > thanks, > rob > > -- > Regards, > > Robert K Wild. > > > > -- > Regards, > > Robert K Wild. > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users