Hello everyone,
It also may be you are using old Squid that does not support signing faked
certificate with algorithm other than SHA-1 (because it was hardcoded at that
time). This is the case of Squid 3.3.8 usually present in stable Ubuntu 14 LTS
and CentOS 7.
In order to fix it you either need to go to most recent Squid (preferred) or
recompile your Squid after applying a small patch like the following:
--- gadgets.cc 2013-07-13 15:25:14.000000000 +0200
+++ gadgets.cc.new 2015-11-09 23:00:47.591124352 +0100
@@ -389,9 +389,9 @@
/*Now sign the request */
if (properties.signAlgorithm != Ssl::algSignSelf &&
properties.signWithPkey.get())
- ret = X509_sign(cert.get(), properties.signWithPkey.get(), EVP_sha1());
+ ret = X509_sign(cert.get(), properties.signWithPkey.get(),
EVP_sha256());
else //else sign with self key (self signed request)
- ret = X509_sign(cert.get(), pkey.get(), EVP_sha1());
+ ret = X509_sign(cert.get(), pkey.get(), EVP_sha256());
if (!ret)
return false;
There is doc article and repo that has it all explained:
http://docs.diladele.com/administrator_guide_4_4/install/ubuntu14/squid.html
https://github.com/ra-at-diladele-com/qlproxy_external/tree/master/src/va/scripts.ubuntu14
But please take it with a huge grain of salt if you can.
Best regards,
Rafael Akchurin
Diladele B.V.
http://www.quintolabs.com
http://www.diladele.com
--
Please take a look at Web Safety - our ICAP based web filter server for Squid
proxy.
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf
Of Diogenes S. Jesus
Sent: Thursday, September 1, 2016 11:37 AM
To: Alex Rousskov <rouss...@measurement-factory.com>
Cc: squid-users@lists.squid-cache.org; erdosain9 <erdosa...@gmail.com>
Subject: Re: [squid-users] HTTPS chrome - SHA1 this page is insecure
The answer why you only see it on Chrome is because since Chrome >= 41:
"Sites with end-entity certificates that expire on or after 1 January 2017, and
which include a SHA-1-based signature as part of the certificate chain, will be
treated as “affirmatively insecure”. Subresources from such domain will be
treated as “active mixed content”."
Source: https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html
Best regards
On Wed, Aug 31, 2016 at 5:24 PM, Alex Rousskov
<rouss...@measurement-factory.com<mailto:rouss...@measurement-factory.com>>
wrote:
On 08/31/2016 09:15 AM, Amos Jeffries wrote:
> On 1/09/2016 2:26 a.m., erdosain9 wrote:
>> Hi.
>> Im using ssl-bump.. all ir working fine, but i want to know if it is
>> possible that which is not seen crossed out and red "https".
>> This happen just in Chrome
>> This page is insecure (broken HTTPS)
>> SHA-1 Certificate
>> The certificate for this site expires in 2017 or later, and the certificate
>> chain contains a certificate signed using SHA-1.
Sounds like you are running an old Squid version.
> This requires changes to the certificate generator used by SSL-Bump.
> IIRC there were some patches, but I can't find them right now in the
> changesets. If the issue exists in current releases then please ask on
> squid-dev.
See http://www.squid-cache.org/Doc/config/sslproxy_cert_sign_hash/
> Of course, its possible the site realy does have a SHA1 certificate and
> Squid is just passing on the real details. The mimic feature is designed
> to ensure TLS is actually transparent as best we can manage.
I have not checked, but I doubt we mimic the signing algorithm (because
it would make client-Squid communication less secure?). If we do, we
should update the wiki page that lists what is being mimicked.
HTH,
Alex.
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org<mailto:squid-users@lists.squid-cache.org>
http://lists.squid-cache.org/listinfo/squid-users
--
--------
Diogenes S. de Jesus
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
