Re: [squid-users] Add header to HTTPS requests

2021-05-19 Thread Aniruddha Gore 
Thanks Franchesco. If there are any samples that you know of I would sincerely 
appreciate. 

Get Outlook for iOS

From: Francesco Chemolli 
Sent: Wednesday, May 19, 2021 10:46 PM
To: Aniruddha Gore
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Add header to HTTPS requests



On Thu, May 20, 2021 at 2:05 AM Aniruddha Gore 
mailto:agn...@hotmail.com>> wrote:
Hello folks, I am using Squid as a simple [forward] proxy and was wondering if 
it is feasible and advised to add custom headers to HTTPS requests?

Hi Ainiruddha,
  feasible, yes. Advised, maybe.

I think I can achieve it using ssl_bump but I am still teaching myself about 
it. However, it seems to help more with examining HTTPS requests than modifying 
them.

That's actually the only way to do it. The whole point of https is to prevent 
intermediaries (such as squid) from seeing the contents of the requests and 
meddle with them. sslbump breaks that assumption


I also came across a stern warning at 
https://wiki.squid-cache.org/Features/HTTPS
 and was wondering if what I want to do is even advised 

It really depends on your context and objectives. For sure it can be pretty 
informative, if your objective is to learn how http works to the wire.

--
Francesco
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Add header to HTTPS requests

2021-05-19 Thread Francesco Chemolli 
On Thu, May 20, 2021 at 2:05 AM Aniruddha Gore  wrote:

> Hello folks, I am using Squid as a simple [forward] proxy and was
> wondering if it is feasible and advised to add custom headers to HTTPS
> requests?
>

Hi Ainiruddha,
  feasible, yes. Advised, maybe.


> I think I can achieve it using ssl_bump but I am still teaching myself
> about it. However, it seems to help more with examining HTTPS requests than
> modifying them.
>

That's actually the only way to do it. The whole point of https is to
prevent intermediaries (such as squid) from seeing the contents of the
requests and meddle with them. sslbump breaks that assumption


>
> I also came across a stern warning at
> https://wiki.squid-cache.org/Features/HTTPS and was wondering if what I
> want to do is even advised 
>

It really depends on your context and objectives. For sure it can be pretty
informative, if your objective is to learn how http works to the wire.

-- 
Francesco
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Add header to HTTPS requests

2021-05-19 Thread Aniruddha Gore 
Hello folks, I am using Squid as a simple [forward] proxy and was wondering if 
it is feasible and advised to add custom headers to HTTPS requests?

I think I can achieve it using ssl_bump but I am still teaching myself about 
it. However, it seems to help more with examining HTTPS requests than modifying 
them.

I also came across a stern warning at 
https://wiki.squid-cache.org/Features/HTTPS and was wondering if what I want to 
do is even advised 


Aniruddha Gore
Sent from Outlook.com
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid for Windows 4.14 is available

2021-05-19 Thread Odhiambo Washington 
On Mon, May 17, 2021 at 12:23 PM Rafael Akchurin <
rafael.akchu...@diladele.com> wrote:

> Hello everyone,
>
>
>
> After years of postponing we were finally able to build and pack the Squid
> 4 for Microsoft Windows.
>
> Sorry it took a lot more time and efforts than anticipated. The already
> existing version 4.15 is also being packed.
>
> I will update once again when it is available.
>
>
>
> The MSI can be downloaded from https://squid.diladele.com/ site.
>
>
>
> While you are there be sure to check out our other projects – Web Safety
> ICAP web filter and Admin UI for Squid (https://www.diladele.com/) and
>
> DNS Safety filter (something like web safety but on DNS level -
> https://dnssafety.diladele.com/).
>
>
>
> Repo for development of Squid for Windows is available at
> https://github.com/diladele/squid-windows.
>
> Please post your question **for MSI problems only** at
> supp...@diladele.com – and for Squid part here.
>
>
I installed this on my Windows 10, but gave up when I could not make it to
cache anything.
cache_dir aufs c:\Squid\cachedir 3000 16 256

I created this director, but squid -z would not hear of it!

The given example:

#cache_dir aufs /cygdrive/d/squid/cache 3000 16 256

.. is unix lingo, not Windows

What is the correct format of the above config on Windows?





-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v "^$|^.*#" :-)
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] All Adaptation ICAPs go down at the same time

2021-05-19 Thread Alex Rousskov 
On 5/19/21 5:31 PM, roie rachamim wrote:

> 2021/05/12 12:27:24.209| 93,5| AsyncJob.cc(139) callEnd:
> AsyncJob::start() ends job [/ job31640]

To me, this looks like bug 4528:
https://bugs.squid-cache.org/show_bug.cgi?id=4528

That bug is being fixed in PR 795:
https://github.com/squid-cache/squid/pull/795

You might be able to patch your Squid using the corresponding patch:
https://github.com/squid-cache/squid/pull/795.diff

Testing feedback is very weclomed.


HTH,

Alex.


> On Mon, Apr 19, 2021 at 12:07 PM Eliezer Croitoru wrote:
> 
> Hey Roie,
> 
> __ __
> 
> From the output I assume it’s a dns resolution issue.
> 
> In the past I remember that Docker was updating the hosts file with
> the relevant names but  it’s not working the same way now.
> 
> Currently Docker is using a local network dns service which is being
> accessed via 127.0.0.53.
> 
> From I remember Squid is resolving the icap service name only at
> startup or reload.
> 
> Lately Alex published a testable patch that might fix specific
> issues with icap services which are resolved by dns. ( sorry I don’t
> remember the bug report)
> 
> I assume you can try to test this patch first.
> 
> If these services are static to some degree you might be able to
> create a script that updates the hosts file and reload squid on each
> change.
> 
> When using the hosts file it’s possible that some issues will
> disappear.
> 
> 
> There is also another possibility which is a malformed ICAP response
> or wrong sessions handling which cause this issue.
> 
> You might be able to use tcpdump from either the host or the
> container side to capture traffic when these goes down.
> 
> Depends on your preference of debug level you might even be able to
> debug specific debug_options like for ICAP services
> and/or requests to the degree you might be able to see what happens
> on the basic level of the ICAP encapsulation.
> 
> If you really need help with a diagnosis and a solution you might be
> able to use Alex and the measurement factory.
> 
> 
> 
> All The Bests,
> 
> Eliezer
> 
> __ __
> 
> *From:* squid-users  > *On Behalf Of
> *roie rachamim
> *Sent:* Monday, April 12, 2021 12:54 PM
> *To:* squid-users@lists.squid-cache.org
> 
> *Subject:* [squid-users] All Adaptation ICAPs go down at the same
> time
> 
> __ __
> 
> Hi,
> 
> __ __
> 
> Our setup includes squid that runs in docker container with several
> ICAP servers in additional containers.
> 
> From time to time we see in cache.log the following messages:
> 2021/04/12 00:22:39| optional ICAP service is down after an options
> fetch failure: icap://icap1.proxy:14590/censor [down,!opt]
> 2021/04/12 00:22:39| optional ICAP service is down after an options
> fetch failure: icap://icap2.proxy:1344/request [down,!opt]
> 2021/04/12 00:22:39| optional ICAP service is down after an options
> fetch failure: icap://icap3.proxy:14590/response [down,!opt]
> 
> 2021/04/12 06:10:45| optional ICAP service is down after an options
> fetch failure: icap://icap1.proxy:14590/censor [down,!opt]
> 2021/04/12 06:10:45| optional ICAP service is down after an options
> fetch failure: icap://icap2.proxy:1344/request [down,!opt]
> 2021/04/12 06:10:45| optional ICAP service is down after an options
> fetch failure: icap://icap3.proxy:14590/response [down,!opt]
> 
> __ __
> 
> We're trying to understand why it happens to all ICAPs at once. This
> happens in 4.14 and in 5.0.4
> 
> Any thoughts about what might cause this ?
> 
> Many Thanks,
> 
> Roie
> 
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] All Adaptation ICAPs go down at the same time

2021-05-19 Thread roie rachamim 
Hi,

This are the logs i manage to capture during disconnection (I enabled 93 in
debug_options)

2021/05/12 12:27:24.209| 93,5| ServiceRep.cc(378) noteTimeToUpdate:
performs a regular options update [up]
2021/05/12 12:27:24.209| 93,6| ServiceRep.cc(611) startGettingOptions: will
get new options [up]
2021/05/12 12:27:24.209| 93,5| AsyncJob.cc(34) AsyncJob: AsyncJob
constructed, this=0x55a73f3bc468 type=Adaptation::Icap::OptXactLauncher
[job31639]
2021/05/12 12:27:24.209| 93,5| AsyncCall.cc(26) AsyncCall: The AsyncCall
AsyncJob::start constructed, this=0x55a73ef1ebc0 [call661700]
2021/05/12 12:27:24.209| 93,5| AsyncCall.cc(93) ScheduleCall:
AsyncJob.cc(26) will call AsyncJob::start() [call661700]
2021/05/12 12:27:24.209| 93,5| AsyncCallQueue.cc(55) fireNext: entering
AsyncJob::start()
2021/05/12 12:27:24.209| 93,5| AsyncCall.cc(38) make: make call
AsyncJob::start [call661700]
2021/05/12 12:27:24.209| 93,5| AsyncJob.cc(123) callStart:
Adaptation::Icap::OptXactLauncher status in: [ job31639]
2021/05/12 12:27:24.209| 93,4| Launcher.cc(49) launchXaction: launching
first xaction #1
2021/05/12 12:27:24.209| 93,5| AsyncJob.cc(34) AsyncJob: AsyncJob
constructed, this=0x55a73f3bca30 type=Adaptation::Icap::OptXact [job31640]
2021/05/12 12:27:24.209| 93,3| Xaction.cc(101) Xaction:
Adaptation::Icap::OptXact constructed, this=0x55a73f3bc948 [icapxjob31640]
2021/05/12 12:27:24.209| 93,5| Xaction.cc(141) disableRepeats:
Adaptation::Icap::OptXact from now on cannot be repeated because over
icap_retry_limit [/ job31640]
2021/05/12 12:27:24.209| 93,5| AsyncCall.cc(26) AsyncCall: The AsyncCall
AsyncJob::start constructed, this=0x55a73ef1ecb0 [call661701]
2021/05/12 12:27:24.209| 93,5| AsyncCall.cc(93) ScheduleCall:
AsyncJob.cc(26) will call AsyncJob::start() [call661701]
2021/05/12 12:27:24.209| 93,5| AsyncJob.cc(154) callEnd:
Adaptation::Icap::OptXactLauncher status out: [ job31639]
2021/05/12 12:27:24.209| 93,5| AsyncCallQueue.cc(57) fireNext: leaving
AsyncJob::start()
2021/05/12 12:27:24.209| 93,5| AsyncCallQueue.cc(55) fireNext: entering
AsyncJob::start()
2021/05/12 12:27:24.209| 93,5| AsyncCall.cc(38) make: make call
AsyncJob::start [call661701]
2021/05/12 12:27:24.209| 93,5| AsyncJob.cc(123) callStart:
Adaptation::Icap::OptXact status in: [/ job31640]
2021/05/12 12:27:24.209| 93,3| ServiceRep.cc(142) getConnection: got
connection:
2021/05/12 12:27:24.209| 93,5| Xaction.cc(134) disableRetries:
Adaptation::Icap::OptXact from now on cannot be retried  [/ job31640]
2021/05/12 12:27:24.209| 93,3| Xaction.cc(189) openConnection:
Adaptation::Icap::OptXact opens connection to skipper.proxy:14590
2021/05/12 12:27:24.209| 93,5| AsyncJob.cc(139) callEnd: AsyncJob::start()
ends job [/ job31640]
2021/05/12 12:27:24.210| 93,5| Initiate.cc(64) swanSong: swan sings [/
job31640]
2021/05/12 12:27:24.210| 93,5| Initiate.cc(71) swanSong: swan sang [/
job31640]
2021/05/12 12:27:24.210| 93,3| Xaction.cc(113) ~Xaction:
Adaptation::Icap::OptXact destructed, this=0x55a73f3bc948 [icapxjob31640]
2021/05/12 12:27:24.210| 93,5| AsyncJob.cc(40) ~AsyncJob: AsyncJob
destructed, this=0x55a73f3bca30 type=Adaptation::Icap::OptXact [job31640]
2021/05/12 12:27:24.210| 93,6| AsyncJob.cc(149) callEnd: AsyncJob::start()
ended 0x55a73f3bca30
2021/05/12 12:27:24.210| 93,5| AsyncCallQueue.cc(57) fireNext: leaving
AsyncJob::start()
2021/05/12 12:27:24.210| 93,5| Launcher.cc(85) noteXactAbort:
theXaction:0x55a73f3bc948/0x55a73f3bc948 launches: 1
2021/05/12 12:27:24.210| 93,9| Launcher.cc(127) canRepeat: 0
2021/05/12 12:27:24.210| 93,3| Launcher.cc(95) noteXactAbort: cannot retry
or repeat a failed transaction
2021/05/12 12:27:24.210| 93,4| Answer.cc(20) Error: error: 0
2021/05/12 12:27:24.210| 93,5| AsyncCall.cc(26) AsyncCall: The AsyncCall
Initiator::noteAdaptationAnswer constructed, this=0x55a73f27e950
[call661703]
2021/05/12 12:27:24.210| 93,5| AsyncCall.cc(93) ScheduleCall:
Initiate.cc(83) will call Initiator::noteAdaptationAnswer(2) [call661703]
2021/05/12 12:27:24.210| 93,5| AsyncJob.cc(139) callEnd:
Launcher::noteXactAbort(0,0) ends job [ job31639]
2021/05/12 12:27:24.210| 93,5| Initiate.cc(64) swanSong: swan sings [
job31639]
2021/05/12 12:27:24.210| 93,5| Initiate.cc(71) swanSong: swan sang [
job31639]
2021/05/12 12:27:24.210| 93,5| AsyncJob.cc(40) ~AsyncJob: AsyncJob
destructed, this=0x55a73f3bc468 type=Adaptation::Icap::OptXactLauncher
[job31639]
2021/05/12 12:27:24.210| 93,6| AsyncJob.cc(149) callEnd:
Launcher::noteXactAbort(0,0) ended 0x55a73f3bc468
2021/05/12 12:27:24.210| 93,7| HttpRequest.cc(63) ~HttpRequest: destructed,
this=0x55a73f3c9580
2021/05/12 12:27:24.210| 93,5| AsyncCallQueue.cc(55) fireNext: entering
Initiator::noteAdaptationAnswer(2)
2021/05/12 12:27:24.210| 93,5| AsyncCall.cc(38) make: make call
Initiator::noteAdaptationAnswer [call661703]
2021/05/12 12:27:24.210| 93,5| AsyncJob.cc(123) callStart:
Adaptation::Icap::ServiceRep status in:[up,fetch]
2021/05/12 12:27:24.210| 93,3| ServiceRep.cc(554) noteAdaptationAnswer:
failed to fetch

Re: [squid-users] squid self signed cert error on some websites

2021-05-19 Thread robert k Wild 
I'm following this guide

https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

The section

Alternative trust roots

I don't have a dir called

Usr local openssl

Do I have to download the the ca bundle file somewhere?



On Wed, 19 May 2021, 21:34 robert k Wild,  wrote:

> Thanks Alex, I will do this tomorrow and let you know
>
> Thank you, have a great day
>
> On Wed, 19 May 2021, 21:25 Alex Rousskov, <
> rouss...@measurement-factory.com> wrote:
>
>> On 5/19/21 4:20 PM, robert k Wild wrote:
>>
>> > When I don't add the website to the white list I can't view the cert
>>
>> What prevents you from viewing the certificate? Can you click on the
>> site information icon to the left of the browser Location(?) bar when
>> the error is displayed? If not, perhaps you can use FireFox built-in
>> "Web Developer Tools" (Ctrl-Shift-I on my machine) to get to the
>> certificate? I am not a browser expert, but there is usually a way to
>> see the certificate if the browser received it.
>>
>> If nothing works, can you try reproducing using curl or wget instead of
>> a browser?
>>
>>
>> > Or are you talking about turn the proxy off on Firefox and access the
>> > website normally?
>>
>> That would give you the third certificate to compare.
>>
>> Alex.
>>
>>
>> > On Wed, 19 May 2021, 21:05 Alex Rousskov,
>> > > > > wrote:
>> >
>> > On 5/19/21 3:44 PM, robert k Wild wrote:
>> >
>> > > when i dont add it to the white list i cant view the website
>> > (obviously)
>> > > but can see the cert is provided by my squid (default company
>> ltd)...i
>> > > was lazy creating it but cant view the cert
>> > >
>> > > when i add it to the white list, i can view the website and the
>> cert
>> > > info and its def from my squid cert (default company ltd) as i
>> see the
>> > > valid dates ie before and after
>> >
>> > The difference between those two certificates, if any, may be able
>> to
>> > explain the difference in browser behavior. It would also be useful
>> to
>> > compare those fake certificates with the real one.
>> >
>> >
>> > > i think i need to relax the ciphers in my squid.conf as some other
>> > https
>> > > websites i get the error page and i dont get the cert error
>> message
>> > >
>> > > do you think relaxing the ciphers will work?
>> >
>> > Sorry, I do not know. Obviously, you can trivially check this
>> theory.
>> >
>> > Alex.
>> >
>> >
>> > > On Wed, 19 May 2021, 19:12 Alex Rousskov wrote:
>> > >
>> > > On 5/19/21 10:41 AM, robert k Wild wrote:
>> > > > ok i found out what the error is
>> > > >
>> > > > its because in my squid.conf, i have a whitelist file
>> > > >
>> > > > #HTTP_HTTPS whitelist websites
>> > > > acl whitelist ssl::server_name
>> > "/usr/local/squid/etc/urlwhite.txt"
>> > > > http_access allow activation whitelist
>> > > > http_access deny all
>> > > >
>> > > > once i added the url to that file, it worked
>> > > >
>> > > > but surely, instead of giving me an error saying
>> > > >
>> > > > secure connection failed
>> > > > Error code: SEC_ERROR_BAD_SIGNATURE
>> > > >
>> > > > it should be the default error ie
>> > > >
>> > > > The following error was encountered while trying to retrieve
>> > the URL:
>> > > > https://blah.blah  > > > 
>> > > >>
>> > > >
>> > > > Access Denied.
>> > > >
>> > > > how can i change this please
>> > >
>> > > The answer depends on _why_ you get that
>> > SEC_ERROR_BAD_SIGNATURE error.
>> > >
>> > > If Squid does not have enough information to properly bump
>> > your client
>> > > connection, then there may be no bumping-based solution at all
>> > (e.g.
>> > > when the client is using certificate pinning), or you would
>> > have to bump
>> > > at step2 when more information is available to Squid (to
>> > generate a
>> > > better fake certificate).
>> > >
>> > > For the next step, try comparing the fake certificate that
>> causes
>> > > SEC_ERROR_BAD_SIGNATURE with the fake same-site certificate
>> > that works
>> > > after you whitelist the problematic site. The browser should
>> > allow you
>> > > to view both certificates. You can download them and use
>> > certificate
>> > > printing tools like "openssl x509 -noout -text -in ..." to
>> > compare two
>> > > certificate printouts.
>> > >
>> > > HTH,
>> > >
>> > > Alex.
>> > >
>> > >
>> > > > On Wed, 19 May 2021 at 13:54, robert k Wild wrote:
>> > >

Re: [squid-users] squid self signed cert error on some websites

2021-05-19 Thread robert k Wild 
Thanks Alex, I will do this tomorrow and let you know

Thank you, have a great day

On Wed, 19 May 2021, 21:25 Alex Rousskov, 
wrote:

> On 5/19/21 4:20 PM, robert k Wild wrote:
>
> > When I don't add the website to the white list I can't view the cert
>
> What prevents you from viewing the certificate? Can you click on the
> site information icon to the left of the browser Location(?) bar when
> the error is displayed? If not, perhaps you can use FireFox built-in
> "Web Developer Tools" (Ctrl-Shift-I on my machine) to get to the
> certificate? I am not a browser expert, but there is usually a way to
> see the certificate if the browser received it.
>
> If nothing works, can you try reproducing using curl or wget instead of
> a browser?
>
>
> > Or are you talking about turn the proxy off on Firefox and access the
> > website normally?
>
> That would give you the third certificate to compare.
>
> Alex.
>
>
> > On Wed, 19 May 2021, 21:05 Alex Rousskov,
> >  > > wrote:
> >
> > On 5/19/21 3:44 PM, robert k Wild wrote:
> >
> > > when i dont add it to the white list i cant view the website
> > (obviously)
> > > but can see the cert is provided by my squid (default company
> ltd)...i
> > > was lazy creating it but cant view the cert
> > >
> > > when i add it to the white list, i can view the website and the
> cert
> > > info and its def from my squid cert (default company ltd) as i see
> the
> > > valid dates ie before and after
> >
> > The difference between those two certificates, if any, may be able to
> > explain the difference in browser behavior. It would also be useful
> to
> > compare those fake certificates with the real one.
> >
> >
> > > i think i need to relax the ciphers in my squid.conf as some other
> > https
> > > websites i get the error page and i dont get the cert error message
> > >
> > > do you think relaxing the ciphers will work?
> >
> > Sorry, I do not know. Obviously, you can trivially check this theory.
> >
> > Alex.
> >
> >
> > > On Wed, 19 May 2021, 19:12 Alex Rousskov wrote:
> > >
> > > On 5/19/21 10:41 AM, robert k Wild wrote:
> > > > ok i found out what the error is
> > > >
> > > > its because in my squid.conf, i have a whitelist file
> > > >
> > > > #HTTP_HTTPS whitelist websites
> > > > acl whitelist ssl::server_name
> > "/usr/local/squid/etc/urlwhite.txt"
> > > > http_access allow activation whitelist
> > > > http_access deny all
> > > >
> > > > once i added the url to that file, it worked
> > > >
> > > > but surely, instead of giving me an error saying
> > > >
> > > > secure connection failed
> > > > Error code: SEC_ERROR_BAD_SIGNATURE
> > > >
> > > > it should be the default error ie
> > > >
> > > > The following error was encountered while trying to retrieve
> > the URL:
> > > > https://blah.blah   > > 
> > > >>
> > > >
> > > > Access Denied.
> > > >
> > > > how can i change this please
> > >
> > > The answer depends on _why_ you get that
> > SEC_ERROR_BAD_SIGNATURE error.
> > >
> > > If Squid does not have enough information to properly bump
> > your client
> > > connection, then there may be no bumping-based solution at all
> > (e.g.
> > > when the client is using certificate pinning), or you would
> > have to bump
> > > at step2 when more information is available to Squid (to
> > generate a
> > > better fake certificate).
> > >
> > > For the next step, try comparing the fake certificate that
> causes
> > > SEC_ERROR_BAD_SIGNATURE with the fake same-site certificate
> > that works
> > > after you whitelist the problematic site. The browser should
> > allow you
> > > to view both certificates. You can download them and use
> > certificate
> > > printing tools like "openssl x509 -noout -text -in ..." to
> > compare two
> > > certificate printouts.
> > >
> > > HTH,
> > >
> > > Alex.
> > >
> > >
> > > > On Wed, 19 May 2021 at 13:54, robert k Wild wrote:
> > > >
> > > > hi all,
> > > >
> > > > i have squid 4.15
> > > >
> > > > i have imported my self signed cert on firefox and now i
> can
> > > access
> > > > https website (where as before i got a software is
> > preventing this
> > > > website from opening)
> > > >
> > > > but on some websites i get an error saying
> > > >
> > > > secure

Re: [squid-users] squid self signed cert error on some websites

2021-05-19 Thread Alex Rousskov 
On 5/19/21 4:20 PM, robert k Wild wrote:

> When I don't add the website to the white list I can't view the cert

What prevents you from viewing the certificate? Can you click on the
site information icon to the left of the browser Location(?) bar when
the error is displayed? If not, perhaps you can use FireFox built-in
"Web Developer Tools" (Ctrl-Shift-I on my machine) to get to the
certificate? I am not a browser expert, but there is usually a way to
see the certificate if the browser received it.

If nothing works, can you try reproducing using curl or wget instead of
a browser?


> Or are you talking about turn the proxy off on Firefox and access the
> website normally?

That would give you the third certificate to compare.

Alex.


> On Wed, 19 May 2021, 21:05 Alex Rousskov,
>  > wrote:
> 
> On 5/19/21 3:44 PM, robert k Wild wrote:
> 
> > when i dont add it to the white list i cant view the website
> (obviously)
> > but can see the cert is provided by my squid (default company ltd)...i
> > was lazy creating it but cant view the cert
> >
> > when i add it to the white list, i can view the website and the cert
> > info and its def from my squid cert (default company ltd) as i see the
> > valid dates ie before and after
> 
> The difference between those two certificates, if any, may be able to
> explain the difference in browser behavior. It would also be useful to
> compare those fake certificates with the real one.
> 
> 
> > i think i need to relax the ciphers in my squid.conf as some other
> https
> > websites i get the error page and i dont get the cert error message
> >
> > do you think relaxing the ciphers will work?
> 
> Sorry, I do not know. Obviously, you can trivially check this theory.
> 
> Alex.
> 
> 
> > On Wed, 19 May 2021, 19:12 Alex Rousskov wrote:
> >
> >     On 5/19/21 10:41 AM, robert k Wild wrote:
> >     > ok i found out what the error is
> >     >
> >     > its because in my squid.conf, i have a whitelist file
> >     >
> >     > #HTTP_HTTPS whitelist websites
> >     > acl whitelist ssl::server_name
> "/usr/local/squid/etc/urlwhite.txt"
> >     > http_access allow activation whitelist
> >     > http_access deny all
> >     >
> >     > once i added the url to that file, it worked
> >     >
> >     > but surely, instead of giving me an error saying
> >     >
> >     > secure connection failed
> >     > Error code: SEC_ERROR_BAD_SIGNATURE
> >     >
> >     > it should be the default error ie
> >     >
> >     > The following error was encountered while trying to retrieve
> the URL:
> >     > https://blah.blah   > 
> >     >>
> >     >
> >     >     Access Denied.
> >     >
> >     > how can i change this please
> >
> >     The answer depends on _why_ you get that
> SEC_ERROR_BAD_SIGNATURE error.
> >
> >     If Squid does not have enough information to properly bump
> your client
> >     connection, then there may be no bumping-based solution at all
> (e.g.
> >     when the client is using certificate pinning), or you would
> have to bump
> >     at step2 when more information is available to Squid (to
> generate a
> >     better fake certificate).
> >
> >     For the next step, try comparing the fake certificate that causes
> >     SEC_ERROR_BAD_SIGNATURE with the fake same-site certificate
> that works
> >     after you whitelist the problematic site. The browser should
> allow you
> >     to view both certificates. You can download them and use
> certificate
> >     printing tools like "openssl x509 -noout -text -in ..." to
> compare two
> >     certificate printouts.
> >
> >     HTH,
> >
> >     Alex.
> >
> >
> >     > On Wed, 19 May 2021 at 13:54, robert k Wild wrote:
> >     >
> >     >     hi all,
> >     >
> >     >     i have squid 4.15
> >     >
> >     >     i have imported my self signed cert on firefox and now i can
> >     access
> >     >     https website (where as before i got a software is
> preventing this
> >     >     website from opening)
> >     >
> >     >     but on some websites i get an error saying
> >     >
> >     >     secure connection failed
> >     >     Error code: SEC_ERROR_BAD_SIGNATURE
> >     >
> >     >     i attach my ssl bump conf in my squid.conf file
> >     >
> >     >     #SSL Bump
> >     >     http_port 3128 ssl-bump
> >     cert=/usr/local/squid/etc/ssl_cert/myCA.pem
> >     >     generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB
> >     > 

Re: [squid-users] squid self signed cert error on some websites

2021-05-19 Thread robert k Wild 
Thanks Alex,

When I don't add the website to the white list I can't view the cert, so I
cant download it and compare it with the one I can view/download when I do
add it to the white list

Or are you talking about turn the proxy off on Firefox and access the
website normally?

Thanks,
Rob

On Wed, 19 May 2021, 21:05 Alex Rousskov, 
wrote:

> On 5/19/21 3:44 PM, robert k Wild wrote:
>
> > when i dont add it to the white list i cant view the website (obviously)
> > but can see the cert is provided by my squid (default company ltd)...i
> > was lazy creating it but cant view the cert
> >
> > when i add it to the white list, i can view the website and the cert
> > info and its def from my squid cert (default company ltd) as i see the
> > valid dates ie before and after
>
> The difference between those two certificates, if any, may be able to
> explain the difference in browser behavior. It would also be useful to
> compare those fake certificates with the real one.
>
>
> > i think i need to relax the ciphers in my squid.conf as some other https
> > websites i get the error page and i dont get the cert error message
> >
> > do you think relaxing the ciphers will work?
>
> Sorry, I do not know. Obviously, you can trivially check this theory.
>
> Alex.
>
>
> > On Wed, 19 May 2021, 19:12 Alex Rousskov wrote:
> >
> > On 5/19/21 10:41 AM, robert k Wild wrote:
> > > ok i found out what the error is
> > >
> > > its because in my squid.conf, i have a whitelist file
> > >
> > > #HTTP_HTTPS whitelist websites
> > > acl whitelist ssl::server_name "/usr/local/squid/etc/urlwhite.txt"
> > > http_access allow activation whitelist
> > > http_access deny all
> > >
> > > once i added the url to that file, it worked
> > >
> > > but surely, instead of giving me an error saying
> > >
> > > secure connection failed
> > > Error code: SEC_ERROR_BAD_SIGNATURE
> > >
> > > it should be the default error ie
> > >
> > > The following error was encountered while trying to retrieve the
> URL:
> > > https://blah.blah   > >
> > >
> > > Access Denied.
> > >
> > > how can i change this please
> >
> > The answer depends on _why_ you get that SEC_ERROR_BAD_SIGNATURE
> error.
> >
> > If Squid does not have enough information to properly bump your
> client
> > connection, then there may be no bumping-based solution at all (e.g.
> > when the client is using certificate pinning), or you would have to
> bump
> > at step2 when more information is available to Squid (to generate a
> > better fake certificate).
> >
> > For the next step, try comparing the fake certificate that causes
> > SEC_ERROR_BAD_SIGNATURE with the fake same-site certificate that
> works
> > after you whitelist the problematic site. The browser should allow
> you
> > to view both certificates. You can download them and use certificate
> > printing tools like "openssl x509 -noout -text -in ..." to compare
> two
> > certificate printouts.
> >
> > HTH,
> >
> > Alex.
> >
> >
> > > On Wed, 19 May 2021 at 13:54, robert k Wild wrote:
> > >
> > > hi all,
> > >
> > > i have squid 4.15
> > >
> > > i have imported my self signed cert on firefox and now i can
> > access
> > > https website (where as before i got a software is preventing
> this
> > > website from opening)
> > >
> > > but on some websites i get an error saying
> > >
> > > secure connection failed
> > > Error code: SEC_ERROR_BAD_SIGNATURE
> > >
> > > i attach my ssl bump conf in my squid.conf file
> > >
> > > #SSL Bump
> > > http_port 3128 ssl-bump
> > cert=/usr/local/squid/etc/ssl_cert/myCA.pem
> > > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> > >
> >
>   cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
> > > sslcrtd_program /usr/local/squid/libexec/security_file_certgen
> -s
> > > /var/lib/ssl_db -M 4MB
> > > acl step1 at_step SslBump1
> > > ssl_bump peek step1
> > > ssl_bump bump all
> > >
> > > is there anything wrong you can see, i have tried to make a
> new CA
> > > but error still occures
> > >
> > > thanks,
> > > rob
> > >
> > > --
> > > Regards,
> > >
> > > Robert K Wild.
> > >
> > >
> > >
> > > --
> > > Regards,
> > >
> > > Robert K Wild.
> > >
> > > ___
> > > squid-users mailing list
> > > squid-users@lists.squid-cache.org
> > 
> > > http://lists.squid-cache.org/listinfo/squid-users
> > 
> > >
> >
> >

Re: [squid-users] squid self signed cert error on some websites

2021-05-19 Thread Alex Rousskov 
On 5/19/21 3:44 PM, robert k Wild wrote:

> when i dont add it to the white list i cant view the website (obviously)
> but can see the cert is provided by my squid (default company ltd)...i
> was lazy creating it but cant view the cert
> 
> when i add it to the white list, i can view the website and the cert
> info and its def from my squid cert (default company ltd) as i see the
> valid dates ie before and after

The difference between those two certificates, if any, may be able to
explain the difference in browser behavior. It would also be useful to
compare those fake certificates with the real one.


> i think i need to relax the ciphers in my squid.conf as some other https
> websites i get the error page and i dont get the cert error message
> 
> do you think relaxing the ciphers will work?

Sorry, I do not know. Obviously, you can trivially check this theory.

Alex.


> On Wed, 19 May 2021, 19:12 Alex Rousskov wrote:
> 
> On 5/19/21 10:41 AM, robert k Wild wrote:
> > ok i found out what the error is
> >
> > its because in my squid.conf, i have a whitelist file
> >
> > #HTTP_HTTPS whitelist websites
> > acl whitelist ssl::server_name "/usr/local/squid/etc/urlwhite.txt"
> > http_access allow activation whitelist
> > http_access deny all
> >
> > once i added the url to that file, it worked
> >
> > but surely, instead of giving me an error saying
> >
> > secure connection failed
> > Error code: SEC_ERROR_BAD_SIGNATURE
> >
> > it should be the default error ie
> >
> > The following error was encountered while trying to retrieve the URL:
> > https://blah.blah   >
> >
> >     Access Denied.
> >
> > how can i change this please
> 
> The answer depends on _why_ you get that SEC_ERROR_BAD_SIGNATURE error.
> 
> If Squid does not have enough information to properly bump your client
> connection, then there may be no bumping-based solution at all (e.g.
> when the client is using certificate pinning), or you would have to bump
> at step2 when more information is available to Squid (to generate a
> better fake certificate).
> 
> For the next step, try comparing the fake certificate that causes
> SEC_ERROR_BAD_SIGNATURE with the fake same-site certificate that works
> after you whitelist the problematic site. The browser should allow you
> to view both certificates. You can download them and use certificate
> printing tools like "openssl x509 -noout -text -in ..." to compare two
> certificate printouts.
> 
> HTH,
> 
> Alex.
> 
> 
> > On Wed, 19 May 2021 at 13:54, robert k Wild wrote:
> >
> >     hi all,
> >
> >     i have squid 4.15
> >
> >     i have imported my self signed cert on firefox and now i can
> access
> >     https website (where as before i got a software is preventing this
> >     website from opening)
> >
> >     but on some websites i get an error saying
> >
> >     secure connection failed
> >     Error code: SEC_ERROR_BAD_SIGNATURE
> >
> >     i attach my ssl bump conf in my squid.conf file
> >
> >     #SSL Bump
> >     http_port 3128 ssl-bump
> cert=/usr/local/squid/etc/ssl_cert/myCA.pem
> >     generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> >   
>  cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
> >     sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
> >     /var/lib/ssl_db -M 4MB
> >     acl step1 at_step SslBump1
> >     ssl_bump peek step1
> >     ssl_bump bump all
> >
> >     is there anything wrong you can see, i have tried to make a new CA
> >     but error still occures
> >
> >     thanks,
> >     rob
> >
> >     --
> >     Regards,
> >
> >     Robert K Wild.
> >
> >
> >
> > --
> > Regards,
> >
> > Robert K Wild.
> >
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> 
> > http://lists.squid-cache.org/listinfo/squid-users
> 
> >
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> 
> http://lists.squid-cache.org/listinfo/squid-users
> 
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid self signed cert error on some websites

2021-05-19 Thread robert k Wild 
Thanks Alex,

i think i know why now after further digging

when i dont add it to the white list i cant view the website (obviously)
but can see the cert is provided by my squid (default company ltd)...i was
lazy creating it but cant view the cert

when i add it to the white list, i can view the website and the cert info
and its def from my squid cert (default company ltd) as i see the valid
dates ie before and after

i think i need to relax the ciphers in my squid.conf as some other https
websites i get the error page and i dont get the cert error message

do you think relaxing the ciphers will work?


On Wed, 19 May 2021, 19:12 Alex Rousskov, 
wrote:

> On 5/19/21 10:41 AM, robert k Wild wrote:
> > ok i found out what the error is
> >
> > its because in my squid.conf, i have a whitelist file
> >
> > #HTTP_HTTPS whitelist websites
> > acl whitelist ssl::server_name "/usr/local/squid/etc/urlwhite.txt"
> > http_access allow activation whitelist
> > http_access deny all
> >
> > once i added the url to that file, it worked
> >
> > but surely, instead of giving me an error saying
> >
> > secure connection failed
> > Error code: SEC_ERROR_BAD_SIGNATURE
> >
> > it should be the default error ie
> >
> > The following error was encountered while trying to retrieve the URL:
> > https://blah.blah 
> >
> > Access Denied.
> >
> > how can i change this please
>
> The answer depends on _why_ you get that SEC_ERROR_BAD_SIGNATURE error.
>
> If Squid does not have enough information to properly bump your client
> connection, then there may be no bumping-based solution at all (e.g.
> when the client is using certificate pinning), or you would have to bump
> at step2 when more information is available to Squid (to generate a
> better fake certificate).
>
> For the next step, try comparing the fake certificate that causes
> SEC_ERROR_BAD_SIGNATURE with the fake same-site certificate that works
> after you whitelist the problematic site. The browser should allow you
> to view both certificates. You can download them and use certificate
> printing tools like "openssl x509 -noout -text -in ..." to compare two
> certificate printouts.
>
> HTH,
>
> Alex.
>
>
> > On Wed, 19 May 2021 at 13:54, robert k Wild wrote:
> >
> > hi all,
> >
> > i have squid 4.15
> >
> > i have imported my self signed cert on firefox and now i can access
> > https website (where as before i got a software is preventing this
> > website from opening)
> >
> > but on some websites i get an error saying
> >
> > secure connection failed
> > Error code: SEC_ERROR_BAD_SIGNATURE
> >
> > i attach my ssl bump conf in my squid.conf file
> >
> > #SSL Bump
> > http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
> > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> >
>  cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
> > sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
> > /var/lib/ssl_db -M 4MB
> > acl step1 at_step SslBump1
> > ssl_bump peek step1
> > ssl_bump bump all
> >
> > is there anything wrong you can see, i have tried to make a new CA
> > but error still occures
> >
> > thanks,
> > rob
> >
> > --
> > Regards,
> >
> > Robert K Wild.
> >
> >
> >
> > --
> > Regards,
> >
> > Robert K Wild.
> >
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> >
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid self signed cert error on some websites

2021-05-19 Thread Alex Rousskov 
On 5/19/21 10:41 AM, robert k Wild wrote:
> ok i found out what the error is
> 
> its because in my squid.conf, i have a whitelist file
> 
> #HTTP_HTTPS whitelist websites
> acl whitelist ssl::server_name "/usr/local/squid/etc/urlwhite.txt"
> http_access allow activation whitelist
> http_access deny all
> 
> once i added the url to that file, it worked
> 
> but surely, instead of giving me an error saying
> 
> secure connection failed
> Error code: SEC_ERROR_BAD_SIGNATURE
> 
> it should be the default error ie
> 
> The following error was encountered while trying to retrieve the URL:
> https://blah.blah 
> 
>     Access Denied.
> 
> how can i change this please

The answer depends on _why_ you get that SEC_ERROR_BAD_SIGNATURE error.

If Squid does not have enough information to properly bump your client
connection, then there may be no bumping-based solution at all (e.g.
when the client is using certificate pinning), or you would have to bump
at step2 when more information is available to Squid (to generate a
better fake certificate).

For the next step, try comparing the fake certificate that causes
SEC_ERROR_BAD_SIGNATURE with the fake same-site certificate that works
after you whitelist the problematic site. The browser should allow you
to view both certificates. You can download them and use certificate
printing tools like "openssl x509 -noout -text -in ..." to compare two
certificate printouts.

HTH,

Alex.


> On Wed, 19 May 2021 at 13:54, robert k Wild wrote:
> 
> hi all,
> 
> i have squid 4.15
> 
> i have imported my self signed cert on firefox and now i can access
> https website (where as before i got a software is preventing this
> website from opening)
> 
> but on some websites i get an error saying
> 
> secure connection failed
> Error code: SEC_ERROR_BAD_SIGNATURE
> 
> i attach my ssl bump conf in my squid.conf file
> 
> #SSL Bump
> http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
> sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
> /var/lib/ssl_db -M 4MB
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
> 
> is there anything wrong you can see, i have tried to make a new CA
> but error still occures
> 
> thanks,
> rob
> 
> -- 
> Regards,
> 
> Robert K Wild.
> 
> 
> 
> -- 
> Regards,
> 
> Robert K Wild.
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid self signed cert error on some websites

2021-05-19 Thread robert k Wild 
ok i found out what the error is

its because in my squid.conf, i have a whitelist file

#HTTP_HTTPS whitelist websites
acl whitelist ssl::server_name "/usr/local/squid/etc/urlwhite.txt"
http_access allow activation whitelist
http_access deny all

once i added the url to that file, it worked

but surely, instead of giving me an error saying

secure connection failed
Error code: SEC_ERROR_BAD_SIGNATURE

it should be the default error ie

The following error was encountered while trying to retrieve the URL:
https://blah.blah

Access Denied.

how can i change this please

thanks,
rob

On Wed, 19 May 2021 at 13:54, robert k Wild  wrote:

> hi all,
>
> i have squid 4.15
>
> i have imported my self signed cert on firefox and now i can access https
> website (where as before i got a software is preventing this website from
> opening)
>
> but on some websites i get an error saying
>
> secure connection failed
> Error code: SEC_ERROR_BAD_SIGNATURE
>
> i attach my ssl bump conf in my squid.conf file
>
> #SSL Bump
> http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
> sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
> /var/lib/ssl_db -M 4MB
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
>
> is there anything wrong you can see, i have tried to make a new CA but
> error still occures
>
> thanks,
> rob
>
> --
> Regards,
>
> Robert K Wild.
>


-- 
Regards,

Robert K Wild.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid self signed cert error on some websites

2021-05-19 Thread robert k Wild 
hi all,

i have squid 4.15

i have imported my self signed cert on firefox and now i can access https
website (where as before i got a software is preventing this website from
opening)

but on some websites i get an error saying

secure connection failed
Error code: SEC_ERROR_BAD_SIGNATURE

i attach my ssl bump conf in my squid.conf file

#SSL Bump
http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
/var/lib/ssl_db -M 4MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

is there anything wrong you can see, i have tried to make a new CA but
error still occures

thanks,
rob

-- 
Regards,

Robert K Wild.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid clamav configure options

2021-05-19 Thread robert k Wild 
Thank you Amos

On Tue, 18 May 2021, 23:36 ‪Amos Jeffries‬,  wrote:

> Squid-4 is a stable release series. That means we go out of our way to
> ensure UI (eg build and squid.conf) does not change behaviour.
>
> So yes all *squid* settings should work the same between those versions.
>
> c-icap and squidclamav are third party software. You should not need to
> change them just to update squid.
>
> Amos
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users