Re: [squid-users] SSL-bump certificate issue?

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Fri, 18 Oct 2013 00:13:47 +0300

I am trying to run some tests around these issues so If you do have any
tests that should be done I would be very happy to test the issues.

And I searched couple other things and it is not clear yet what is the
reason for all but the next firefox extention helps a lot:
https://addons.mozilla.org/en-US/firefox/addon/skip-cert-error/

It has an option to aviod Specific certs which are trusted if the rootCA
certificate was not compromosied yet... as a fact.
This is one reason to renew the certs every once in a while.

Eliezer

On 10/16/2013 08:11 AM, Eliezer Croitoru wrote:
> I have two servers on two different networks which use ssl-bump.
> They have different root-CA that was created on two different machines.
> Both of them was installed into FIREFOX and now I am getting a warning
> about the certificate but only on one machine while.. using The other
> works fine.
> So I am not sure what the source of the problem and how to solve it.
> How would I start debuggin it at all?
>
> the error message details from firefox:
> #START
> This Connection is Untrusted
>
> You have asked Firefox to connect securely to mail.google.com, but we
> can't confirm that your connection is secure.
>
> Normally, when you try to connect securely, sites will present trusted
> identification to prove that you are going to the right place. However,
> this site's identity can't be verified.
> What Should I Do?
>
> If you usually connect to this site without problems, this error could
> mean that someone is trying to impersonate the site, and you shouldn't
> continue.
>
> mail.google.com uses an invalid security certificate. The certificate is
> not trusted because it was issued by an invalid CA certificate. (Error
> code: sec_error_inadequate_key_usage)
>
> If you understand what's going on, you can tell Firefox to start
> trusting this site's identification. Even if you trust the site, this
> error could mean that someone is tampering with your connection.
>
> Don't add an exception unless you know there's a good reason why this
> site doesn't use trusted identification.
> ##END
>
> Thanks,
> Eliezer
Received on Thu Oct 17 2013 - 21:14:02 MDT

This archive was generated by hypermail 2.2.0 : Fri Oct 18 2013 - 12:00:07 MDT