DNS lookup of non existing doman name (or any other Squid error)

Important

This article is now obsolete. Latest version of Squid proxy integrated into our Virtual Appliance is able to correctly generate mimicked certificate for any (even not existing) site. If this is not so in your case you might need to upgrade the version of Squid you are using.

There are situations when Squid needs to generate a mimicked certificate without actually connecting to any existing remote domains. Consider the following.

  1. User types non existing domain name into the browser address string. For example, “https://www.asdlajsdfl.com” (note the httpS:// schema).

  2. Squid tries to resolve this non existing name and upon getting error from DNS server, generates the faked certificate and presents the DNS name does not exist error page to the browser.

  3. Unfortunately when generating the faked certificate subjectAltName extension is not included (see bug http://bugs.squid-cache.org/show_bug.cgi?id=4711)

  4. Chrome 58+ shows “Your connection is not private” message with error code NET::ERR_CERT_COMMON_NAME_INVALID, missing_subjectAltName as indicated on the following screenshot.

../../../_images/chrome_alt_subj_pic1.png

Unfortunately there is nothing we can do for now. According to http://bugs.squid-cache.org/show_bug.cgi?id=4711 the next release of Squid 3.5.25+ shall have a fix integrated.

Warning

This same error in Chrome is actually shown for any internal Squid error; because Squid needs to show a page with description for that error and fails to generate the subjectAltName extension for the mimicked certificate.