Bug #6562
closed
Bug/Wrong description in the squid settings
0%
Description
I think there is a wrong description or maybe a bug in the "certificate adapt" option in the squid https settings. Here is a screenshot (not taken by me, so please ignore the arrows; screenshot is also attached): http://docs.diladele.com/_images/sslmitm.png
When I check the option "Sets CN property" (so it's blue marked) the browser thinks that certificates with a wrong hostname are valid. When I uncheck the option the browser blocks the request. I think this is not how this option should work. I tested it with this page: https://wrong.host.badssl.com/
Files
Updated by Richard Eberhard over 8 years ago
Screenshot Author: http://docs.diladele.com/
Updated by Kill Bill about 8 years ago
Sorry, but browser thinking a certificate is valid when it's not is NOT a Squid issue. Stop doing HTTPS MITM if you have concerns that you make users accept invalid certs.
Please, close this.
Updated by Jim Pingle about 8 years ago
- Status changed from New to Not a Bug
- Priority changed from High to Normal
Updated by Richard Eberhard about 8 years ago
Kill Bill wrote:
Sorry, but browser thinking a certificate is valid when it's not is NOT a Squid issue. Stop doing HTTPS MITM if you have concerns that you make users accept invalid certs.
Please, close this.
You misunterstood me. "Sets CN property" (checked) should do the following: Send the CN Property to the browser so the Browser can decided if the cert is valid. But it do the OPPOSITE. If you CHECK the option squid DOES NOT send the CN Proptery to the browser. If you SET this property squid sets it's own CN Property so the browser CAN'T decide if the cert is valid. Sqiud also DOESN`T BLOCK INVALID CERTS then.
Updated by Kill Bill about 8 years ago
Yes, set CN property surprisingly sets CN property. Sigh. Because that's exactly the purpose of the feature. Set != send. Once again, stop doing transparent SSL proxy if you have issues with features that are designed to make it work.