On 5/19/21 3:44 PM, robert k Wild wrote: > when i dont add it to the white list i cant view the website (obviously) > but can see the cert is provided by my squid (default company ltd)...i > was lazy creating it but cant view the cert > > when i add it to the white list, i can view the website and the cert > info and its def from my squid cert (default company ltd) as i see the > valid dates ie before and after The difference between those two certificates, if any, may be able to explain the difference in browser behavior. It would also be useful to compare those fake certificates with the real one. > i think i need to relax the ciphers in my squid.conf as some other https > websites i get the error page and i dont get the cert error message > > do you think relaxing the ciphers will work? Sorry, I do not know. Obviously, you can trivially check this theory. Alex. > On Wed, 19 May 2021, 19:12 Alex Rousskov wrote: > > On 5/19/21 10:41 AM, robert k Wild wrote: > > ok i found out what the error is > > > > its because in my squid.conf, i have a whitelist file > > > > #HTTP_HTTPS whitelist websites > > acl whitelist ssl::server_name "/usr/local/squid/etc/urlwhite.txt" > > http_access allow activation whitelist > > http_access deny all > > > > once i added the url to that file, it worked > > > > but surely, instead of giving me an error saying > > > > secure connection failed > > Error code: SEC_ERROR_BAD_SIGNATURE > > > > it should be the default error ie > > > > The following error was encountered while trying to retrieve the URL: > > https://blah.blah <https://blah.blah> <https://blah.blah > <https://blah.blah>> > > > > Access Denied. > > > > how can i change this please > > The answer depends on _why_ you get that SEC_ERROR_BAD_SIGNATURE error. > > If Squid does not have enough information to properly bump your client > connection, then there may be no bumping-based solution at all (e.g. > when the client is using certificate pinning), or you would have to bump > at step2 when more information is available to Squid (to generate a > better fake certificate). > > For the next step, try comparing the fake certificate that causes > SEC_ERROR_BAD_SIGNATURE with the fake same-site certificate that works > after you whitelist the problematic site. The browser should allow you > to view both certificates. You can download them and use certificate > printing tools like "openssl x509 -noout -text -in ..." to compare two > certificate printouts. > > HTH, > > Alex. > > > > On Wed, 19 May 2021 at 13:54, robert k Wild wrote: > > > > hi all, > > > > i have squid 4.15 > > > > i have imported my self signed cert on firefox and now i can > access > > https website (where as before i got a software is preventing this > > website from opening) > > > > but on some websites i get an error saying > > > > secure connection failed > > Error code: SEC_ERROR_BAD_SIGNATURE > > > > i attach my ssl bump conf in my squid.conf file > > > > #SSL Bump > > http_port 3128 ssl-bump > cert=/usr/local/squid/etc/ssl_cert/myCA.pem > > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > > > cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS > > sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s > > /var/lib/ssl_db -M 4MB > > acl step1 at_step SslBump1 > > ssl_bump peek step1 > > ssl_bump bump all > > > > is there anything wrong you can see, i have tried to make a new CA > > but error still occures > > > > thanks, > > rob > > > > -- > > Regards, > > > > Robert K Wild. > > > > > > > > -- > > Regards, > > > > Robert K Wild. > > > > _______________________________________________ > > squid-users mailing list > > squid-users@xxxxxxxxxxxxxxxxxxxxx > <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> > > http://lists.squid-cache.org/listinfo/squid-users > <http://lists.squid-cache.org/listinfo/squid-users> > > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> > http://lists.squid-cache.org/listinfo/squid-users > <http://lists.squid-cache.org/listinfo/squid-users> > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users