5

I use squid 3.5 with its sslbump feature for https traffic filtering. I generated my private key and cert files with openssl. However,the browser received the warning message when i open https websites that the certificate was issued by an unknown authority. I created ssl certificates with comodo but i still got the same warning message.

Is there a way to remove this warning?

# Squid normally listens to port 3128
http_port 3128 ssl-bump cert=/var/tmp/example.com.cert key=/var/tmp/example.com.private

# Squid listen Port
cert=/var/tmp/example.com.cert
# SSL Bump Config
always_direct allow all
ssl_bump server-first all

url_rewrite_program /usr/bin/sh /var/tmp/middle_squid_wrapper.sh start -C /var/tmp/middle_squid_config.rb

# required to fix HTTPS sites (if SslBump is enabled)
acl fix_ssl_rewrite method GET
acl fix_ssl_rewrite method POST
url_rewrite_access allow fix_ssl_rewrite
url_rewrite_access deny all
vaj oja
  • 1,151
  • 2
  • 16
  • 47
  • 1
    Can you show us the config you're using? – Alex Jun 14 '15 at 07:26
  • 1
    I added the squid configurations. – vaj oja Jun 15 '15 at 04:43
  • 1
    The idea is that you give squid a root certificate, with which it will generate certificates for the proxied sites. If that certificate is not trusted by your clients, you will always get a warning. Maybe having the certificate signed by Comodo will help, but then you probably need to add the Comodo certificates used to sign yours to your cert file as well. – marcolz Jun 18 '15 at 11:59

1 Answers1

0

You don't say what client OS you are using, but it sounds very much like you didn't import your squid certificate to the correct certificate store on the client.

When you install the certificate on a Windows client it should be imported into the Trusted Root Certificate Authorities'->'certificates folder.

The client should then trust the certificate.

user3788685
  • 2,943
  • 5
  • 26
  • 45