subject:"\[squid\-users\] Chrome 67 Issue with SSL Bump"

[squid-users] Chrome 67 Issue with SSL Bump

2018-06-26 Thread Amit Pasari - XS INFOSOL Inc. USA


Dear All,

I am using squid ver.3.5.26  on centos 6.7 with below configuration .

=

http_port 3128  intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB cert=/etc/myssl/public.pem 
capath=/etc/ssl/certs options=NO_SSLv3 key=/etc/myssl/private.pem


ssl_bump peek step1 all
ssl_bump peek step2 serverIsBank
ssl_bump splice step3 serverIsBank
ssl_bump bump all

==

I am using squid in transparent mode . Everything working fine in 
Firefox and IE after i have imported the certificate in both the 
browser  , but in Chrome 67 version on Windows 10 i am facing the below 
issue


NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM

When i open https://facebook.com , https://linkedin.com etc .

I am clueless on the same now .

Amit


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Chrome 67 Issue with SSL Bump

2018-06-26 Thread Walter H.


On 26.06.2018 17:22, Amit Pasari - XS INFOSOL Inc. USA wrote:


I am using squid in transparent mode . Everything working fine in 
Firefox and IE after i have imported the certificate in both the 
browser  , but in Chrome 67 version on Windows 10 i am facing the 
below issue


NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM

When i open https://facebook.com , https://linkedin.com etc .

I am clueless on the same now .

Amit


Have you generated a SHA1 or SHA-256 certificate?

Walter



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Chrome 67 Issue with SSL Bump

2018-06-26 Thread Amit pasari

Dear Walter 
 
I have tried with both SHA1 and SHA256 cert . 


Sent from my iPhone

> On Jun 26, 2018, at 9:43 PM, Walter H.  wrote:
> 
>> On 26.06.2018 17:22, Amit Pasari - XS INFOSOL Inc. USA wrote:
>> I am using squid in transparent mode . Everything working fine in Firefox 
>> and IE after i have imported the certificate in both the browser  , but in 
>> Chrome 67 version on Windows 10 i am facing the below issue 
>> NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM
>> When i open https://facebook.com , https://linkedin.com etc .
>> I am clueless on the same now . 
>> Amit
>> 
> Have you generated a SHA1 or SHA-256 certificate?
> 
> Walter
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Chrome 67 Issue with SSL Bump

2018-06-26 Thread Walter H.


On 26.06.2018 19:03, Amit pasari wrote:

Dear Walter
I have tried with both SHA1 and SHA256 cert .


Sent from my iPhone

On Jun 26, 2018, at 9:43 PM, Walter H. > wrote:



On 26.06.2018 17:22, Amit Pasari - XS INFOSOL Inc. USA wrote:


I am using squid in transparent mode . Everything working fine in 
Firefox and IE after i have imported the certificate in both the 
browser  , but in Chrome 67 version on Windows 10 i am facing the 
below issue


NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM

When i open https://facebook.com , https://linkedin.com etc .

I am clueless on the same now .

Amit


Have you generated a SHA1 or SHA-256 certificate?

Walter


can you try this:

sslproxy_cert_sign_hash sha256

and use a SHA-256  certificate

Walter


smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Chrome 67 Issue with SSL Bump

2018-06-26 Thread Amit Pasari - XS INFOSOL Inc. USA

Let me try the below solution , but if thats the case it shouldn't work 
with other browsers as well  , what i think is chrome is either not 
reading my cert or rejecting it .


Unsure .

Amit

On 6/26/18 10:38 PM, Walter H. wrote:

On 26.06.2018 19:03, Amit pasari wrote:

Dear Walter
I have tried with both SHA1 and SHA256 cert .


Sent from my iPhone

On Jun 26, 2018, at 9:43 PM, Walter H. > wrote:



On 26.06.2018 17:22, Amit Pasari - XS INFOSOL Inc. USA wrote:


I am using squid in transparent mode . Everything working fine in 
Firefox and IE after i have imported the certificate in both the 
browser  , but in Chrome 67 version on Windows 10 i am facing the 
below issue


NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM

When i open https://facebook.com , https://linkedin.com etc .

I am clueless on the same now .

Amit


Have you generated a SHA1 or SHA-256 certificate?

Walter


can you try this:

sslproxy_cert_sign_hash sha256

and use a SHA-256  certificate

Walter



--
XS Infosol

*Amit Pasari*
CEO
*XS Infosol Pvt Ltd*

 
 
 



*Call* : +91-120-4978080, Extn.101
*Mobile* : +91-9953007901
*Skype Id* : amitpasari
*Mail id* : a...@xsinfosol.com
*Website* : www.xsinfosol.com





___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Chrome 67 Issue with SSL Bump

2018-06-27 Thread Amit Pasari - XS INFOSOL Inc. USA


On 6/27/18 11:20 PM, Amit Pasari - XS INFOSOL Inc. USA wrote:

Dear Walter ,

I use

sslproxy_cert_sign_hash sha256

and use a SHA-256  certificate

The result is still the same .

"NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM"

Also one more thing , when i open yahoo.com with any of those 
certificates in CHROME , the content of yahoo comes inline i,e without 
any CSS etc ...


One more strange thing i noticed , when i browse using Firefox , 
safari , IE , all URLs are coming in squid/access.log where as when i 
use CHROME only few IPs comes in access logs with CONNECT on 443 .


I also noticed with using CHROME the below type of requests :
POST 
http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certs



Amit


On 6/26/18 11:25 PM, Amit Pasari - XS INFOSOL Inc. USA wrote:
Let me try the below solution , but if thats the case it shouldn't 
work with other browsers as well  , what i think is chrome is either 
not reading my cert or rejecting it .


Unsure .

Amit

On 6/26/18 10:38 PM, Walter H. wrote:

On 26.06.2018 19:03, Amit pasari wrote:

Dear Walter
I have tried with both SHA1 and SHA256 cert .


Sent from my iPhone

On Jun 26, 2018, at 9:43 PM, Walter H. > wrote:



On 26.06.2018 17:22, Amit Pasari - XS INFOSOL Inc. USA wrote:


I am using squid in transparent mode . Everything working fine in 
Firefox and IE after i have imported the certificate in both the 
browser  , but in Chrome 67 version on Windows 10 i am facing the 
below issue


NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM

When i open https://facebook.com , https://linkedin.com etc .

I am clueless on the same now .

Amit


Have you generated a SHA1 or SHA-256 certificate?

Walter


can you try this:

sslproxy_cert_sign_hash sha256

and use a SHA-256  certificate

Walter


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Chrome 67 Issue with SSL Bump

2018-06-27 Thread Amos Jeffries

On 28/06/18 05:55, Amit Pasari - XS INFOSOL Inc. USA wrote:
> On 6/27/18 11:20 PM, Amit Pasari - XS INFOSOL Inc. USA wrote:
>> Dear Walter ,
>>
>> I use
>>
>> sslproxy_cert_sign_hash sha256
>>
>> and use a SHA-256  certificate
>>
>> The result is still the same .
>>  
>> "NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM"

Based on 

v67 may have moved on to SHA-512 now, or this site be using SHA-386.

Is there any way you can debug *which* certificate in the certificate
chain is producing that error?
 It could be the server cert, or an intermediary, or the root CA.

Also, there are other uses of signatures in TLS/SSL that you could
check. eg the signature on serverHello messages. The error does point at
certs, but all Browsers have a history of wrongly re-using error
messages for only slightly related things at times if their translators
did not produce new texts fast enough for their release cycle.

>>
>> Also one more thing , when i open yahoo.com with any of those
>> certificates in CHROME , the content of yahoo comes inline i,e without
>> any CSS etc ...
>>

This may be a side effect of the same issue affecting separate
connections those background objects are fetched over. OR, it could e
something completely unrelated. They are not use-visible so error
messages not as clearly "in your face".
 Either way concentrate on one problem at a time.

>> One more strange thing i noticed , when i browse using Firefox ,
>> safari , IE , all URLs are coming in squid/access.log where as when i
>> use CHROME only few IPs comes in access logs with CONNECT on 443 .

Not strange at all. Different browsers/clients do different things. You
only get the decrypted messages if you successfully decrypted them.

>>
>> I also noticed with using CHROME the below type of requests :
>> POST
>> http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certs
>>

I suggest you look that domain and/or URL up. What its used for impacts
your ability to perform SSL-Bump.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Chrome 67 Issue with SSL Bump

Re: [squid-users] Chrome 67 Issue with SSL Bump

Re: [squid-users] Chrome 67 Issue with SSL Bump

Re: [squid-users] Chrome 67 Issue with SSL Bump

Re: [squid-users] Chrome 67 Issue with SSL Bump

Re: [squid-users] Chrome 67 Issue with SSL Bump

Re: [squid-users] Chrome 67 Issue with SSL Bump

7 matches

Site Navigation

Mail list logo

Footer information