Re: [squid-users] squid/sslbump + IE9

From: Sean Boran <sean_at_boran.com>
Date: Fri, 2 Dec 2011 16:16:06 +0100

Yes it was add to the Windows cert store. (Tools > Options > Content
> Certiifcates > Trusted Root Certification Authorities).

Not all all HTTPS websites cause errors either, e..g
https://www.credit-suisse.com is fine.

Sean

On 2 December 2011 15:03, Guy Helmer <guy.helmer_at_palisadesystems.com> wrote:
>
> On Dec 2, 2011, at 3:52 AM, Sean Boran wrote:
>
> > Hi,
> >
> > I'm testing squid v3 with SSL interception  (the interception is to do
> > AV checking with icap) in routing mode.
> > Sslbump/dynamic certs are configured. A self-signed cert is used on
> > the proxy, and installed as a ca on browsers.
> >
> > https to several sites (such as Gmail.com boi.com) works with FF
> > (although FF is initially much slower); but gives errors in IE9
> > "Internet Explorer blocked this website from displaying content with
> > security certificate errors"
> >
> > Clicking on the lock icon shows the certificate with name
> > accounts.google.com and signed by myproxy.com, which is fine. So why
> > is IE not happy?
> >
> > In the squid logs:
> > NONE/000 0 CONNECT accounts.google.com:443 - HIER_NONE/- -
> > TCP_MISS/200 9497 GET https://accounts.google.com/ServiceLogin? -
> > HIER_DIRECT/209.85.148.84 text/html
> > NONE/000 0 CONNECT ssl.google-analytics.com:443 - HIER_NONE/- -
> > NONE/000 0 CONNECT mail.google.com:443 - HIER_NONE/- -
> > NONE/000 0 CONNECT ssl.gstatic.com:443 - HIER_NONE/- -
> > TCP_MISS/200 1301 POST
> > http://safebrowsing.clients.google.com/safebrowsing/downloads
> >
> > Is IE9 fussier that other browsers regarding SSL?
> >
> >
> > Any tips/best practices to get SSL interception running smoothly ? :-)
> >
> > Thanks,
> >
> > Sean
>
> I believe Firefox uses its own certificate store while IE uses the Windows certificate store. Was the self-signed cert added to the Windows cert store?
>
> Guy--------
> This message has been scanned by ComplianceSafe, powered by Palisade's PacketSure.
Received on Fri Dec 02 2011 - 15:16:15 MST

This archive was generated by hypermail 2.2.0 : Fri Dec 02 2011 - 12:00:01 MST