Re: [squid-users] SSL-bump certificate issue?

From: Eliezer Croitoru <>
Date: Fri, 18 Oct 2013 00:13:47 +0300

I am trying to run some tests around these issues so If you do have any
tests that should be done I would be very happy to test the issues.

And I searched couple other things and it is not clear yet what is the
reason for all but the next firefox extention helps a lot:

It has an option to aviod Specific certs which are trusted if the rootCA
certificate was not compromosied yet... as a fact.
This is one reason to renew the certs every once in a while.


On 10/16/2013 08:11 AM, Eliezer Croitoru wrote:
> I have two servers on two different networks which use ssl-bump.
> They have different root-CA that was created on two different machines.
> Both of them was installed into FIREFOX and now I am getting a warning
> about the certificate but only on one machine while.. using The other
> works fine.
> So I am not sure what the source of the problem and how to solve it.
> How would I start debuggin it at all?
> the error message details from firefox:
> This Connection is Untrusted
> You have asked Firefox to connect securely to, but we
> can't confirm that your connection is secure.
> Normally, when you try to connect securely, sites will present trusted
> identification to prove that you are going to the right place. However,
> this site's identity can't be verified.
> What Should I Do?
> If you usually connect to this site without problems, this error could
> mean that someone is trying to impersonate the site, and you shouldn't
> continue.
> uses an invalid security certificate. The certificate is
> not trusted because it was issued by an invalid CA certificate. (Error
> code: sec_error_inadequate_key_usage)
> If you understand what's going on, you can tell Firefox to start
> trusting this site's identification. Even if you trust the site, this
> error could mean that someone is tampering with your connection.
> Don't add an exception unless you know there's a good reason why this
> site doesn't use trusted identification.
> ##END
> Thanks,
> Eliezer
Received on Thu Oct 17 2013 - 21:14:02 MDT

This archive was generated by hypermail 2.2.0 : Fri Oct 18 2013 - 12:00:07 MDT