Hello,
I've a working setup with squid 4.14 and enabled sslbump under debian buster.
But when I try destinations like https://1.1.1.1/ I get an error
ERR_CERT_COMMON_NAME_INVALID
The alternate DNS Names in the certificate of the original webserver is:
X509v3 Subject Alternative Name:
DNS:cloudflare-dns.com, DNS:*.cloudflare-dns.com, DNS:one.one.one.one, IP
Address:1.1.1.1, IP Address:1.0.0.1, IP Address:162.159.36.1, IP
Address:162.159.46.1, IP Address:2606:4700:4700:0:0:0:0:1111, IP
Address:2606:4700:4700:0:0:0:0:1001, IP Address:2606:4700:4700:0:0:0:0:64, IP
Address:2606:4700:4700:0:0:0:0:6400
for the client using the proxy with sslbump it looks like:
X509v3 Subject Alternative Name:
DNS:1.1.1.1
so the SAN is a DNS and not an IP Address one.
I think is has to be something like this:
X509v3 Subject Alternative Name:
IP Address:1.1.1.1
Can someone confirm this, or may I have a mistake in my squid configuration.
Here some sslbum related details of my config:
http_port MYIP:8080 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem
key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem
http_port MYIP:8880 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem
key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem
sslcrtd_program /usr/sbin/security_file_certgen -s /var/cache/squid/sslcert_db
-M 32MB
sslcrtd_children 32 startup=10 idle=3
tls_outgoing_options capath=/etc/ssl/certs min-version=1.2
ssl_bump peek step1
ssl_bump stare all
ssl_bump bump all
--
Regards
Dieter
--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.
_______________________________________________
squid-users mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-users
