Thanks Alex, i think i know why now after further digging
when i dont add it to the white list i cant view the website (obviously) but can see the cert is provided by my squid (default company ltd)...i was lazy creating it but cant view the cert when i add it to the white list, i can view the website and the cert info and its def from my squid cert (default company ltd) as i see the valid dates ie before and after i think i need to relax the ciphers in my squid.conf as some other https websites i get the error page and i dont get the cert error message do you think relaxing the ciphers will work? On Wed, 19 May 2021, 19:12 Alex Rousskov, <rouss...@measurement-factory.com> wrote: > On 5/19/21 10:41 AM, robert k Wild wrote: > > ok i found out what the error is > > > > its because in my squid.conf, i have a whitelist file > > > > #HTTP_HTTPS whitelist websites > > acl whitelist ssl::server_name "/usr/local/squid/etc/urlwhite.txt" > > http_access allow activation whitelist > > http_access deny all > > > > once i added the url to that file, it worked > > > > but surely, instead of giving me an error saying > > > > secure connection failed > > Error code: SEC_ERROR_BAD_SIGNATURE > > > > it should be the default error ie > > > > The following error was encountered while trying to retrieve the URL: > > https://blah.blah <https://blah.blah> > > > > Access Denied. > > > > how can i change this please > > The answer depends on _why_ you get that SEC_ERROR_BAD_SIGNATURE error. > > If Squid does not have enough information to properly bump your client > connection, then there may be no bumping-based solution at all (e.g. > when the client is using certificate pinning), or you would have to bump > at step2 when more information is available to Squid (to generate a > better fake certificate). > > For the next step, try comparing the fake certificate that causes > SEC_ERROR_BAD_SIGNATURE with the fake same-site certificate that works > after you whitelist the problematic site. The browser should allow you > to view both certificates. You can download them and use certificate > printing tools like "openssl x509 -noout -text -in ..." to compare two > certificate printouts. > > HTH, > > Alex. > > > > On Wed, 19 May 2021 at 13:54, robert k Wild wrote: > > > > hi all, > > > > i have squid 4.15 > > > > i have imported my self signed cert on firefox and now i can access > > https website (where as before i got a software is preventing this > > website from opening) > > > > but on some websites i get an error saying > > > > secure connection failed > > Error code: SEC_ERROR_BAD_SIGNATURE > > > > i attach my ssl bump conf in my squid.conf file > > > > #SSL Bump > > http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem > > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > > > cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS > > sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s > > /var/lib/ssl_db -M 4MB > > acl step1 at_step SslBump1 > > ssl_bump peek step1 > > ssl_bump bump all > > > > is there anything wrong you can see, i have tried to make a new CA > > but error still occures > > > > thanks, > > rob > > > > -- > > Regards, > > > > Robert K Wild. > > > > > > > > -- > > Regards, > > > > Robert K Wild. > > > > _______________________________________________ > > squid-users mailing list > > squid-users@lists.squid-cache.org > > http://lists.squid-cache.org/listinfo/squid-users > > > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
