Google Chrome Error - Your Connection is not private (NET::ERR_CERT_INVALID)

Important

This article is now obsolete. Versions of Web Safety starting from 4.3 and up have this issue resolved. Latest version of Web Safety packed as virtual appliance is available from https://www.diladele.com/virtual_appliance.html

When using default Squid proxy versions 3.4 (in CentOS/RedHat 7) and 3.3 (in Debian/Ubuntu) and Google Chrome/Chrominum as web browser the following issue occurs.

After enabling HTTPS filtering and SSL decryption as indicated in Enable HTTPS Filtering in Web UI Google Chrome starts to show Your Connection is not private (NET::ERR_CERT_INVALID) error message as indicated on the following screenshot even if proxy certificate is installed as Trusted Root Certification Authority.

../../_images/chrome_not_private.png

The reason for this is simple - Squid uses default SHA-1 signing algorithm to generate mimicked certificate to perform SSL decryption. This leads to warning because of http://googleonlinesecurity.blogspot.co.uk/2014/09/gradually-sunsetting-sha-1.html.

This behavior was fixed starting from Squid 3.5.1 (see discussion at http://comments.gmane.org/gmane.comp.web.squid.devel/23450). Current version of Web Safety completely resolved all issues with SHA1 certificates and should function correctly.