[openssl-users] Strange behaviour with Chrome (client OS = WinXP x64) ...
Walter.H at mathemainzel.info
Sun Feb 1 17:48:24 UTC 2015
can someone please try the following website with Google Chrome - I use
the latest release: Version 39.0.2171.99 m -
https://banking.ing-diba.at/ (an electronic Banking site)
with the following policy enabled:
RequireOnlineRevocationChecksForLocalAnchors = 1
with this banking site I get the following error from Google Chrome
"Your connection is not private
Attackers might be trying to steal your information from
banking.ing-diba.at (for example, passwords, messages, or credit cards)."
with the following banking sites of other banks I have no troubles:
without enabling the policy above or not setting at all, this banking
site works, but
the symbol it shows differs; it is the same as if a man-in-the-middle
like SSL-Bump would be between;
Google chrome uses the same cert store as IE, and with IE there is no
only another thing the banking site is telling: the browser is out
dated, of course IE 7
the IE even shows a green bar when connecting to this banking site ...
can someone please tell me what is there special with this banking
site: https://banking.ing-diba.at/ ?
I'm using SSL bump with the exception of banking sites, the specific
part of the squid.conf
looks like this:
acl ssl_bump_domains_bankingsites dstdomain banking.raiffeisen.at
banking.ing-diba.at ebanking.easybank.at services.kepler.at
acl ssl_bump_domains_msftupdates dstdomain .update.microsoft.com
ssl_bump none ssl_bump_domains_bankingsites
ssl_bump none ssl_bump_domains_msftupdates
ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_options NO_SSLv2 NO_SSLv3
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/local/squid/ssl_db -M 16MB
http_port 3128 ssl-bump generate-host-certificates=on
# squid.pem contains both cert+key
I'm using my own CA, this means this SSL-bump CA cert is signed by my
root CA certificate;
what is missing, wrong, ... so that this one banking site will work ...?
the SSL-bump CA certificate contain this:
Authority Information Access:
OCSP - URI:#url-to-ocsp#
CA Issuers - URI:#url-to-root-cert#
X509v3 CRL Distribution Points:
everything is working, the OCSP, the root-cert, and the CRL ...
what causes Google Chrome producing the mentioned error above, when
activating this mentioned policy?
the question to squid specialists: was it a good idea signing the
SSL-bump CA certificate with the root certificate of my CA?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5971 bytes
Desc: S/MIME Cryptographic Signature
More information about the openssl-users