Opera (Win7SP1-x64) not connecting to google.com because of "HSTS"?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Opera (Win7SP1-x64) not connecting to google.com because of "HSTS"?

L. A. Walsh
I've seen this before w/google in Opera -- but it doesn't seem
 to happen with IE or Palemoon (both going through my SSL-bumping proxy).
Even my housemate, going through the proxy using Chrome doesn't
get this error (it also uses the system cert location).

When I bring up the security dialog in Opera, it brings up the same
dialog I see under the Win Control Panel under Internet Settings,
the "Content" tab -- where I see Certificates.  My proxy cert is listed
under the Trusted Root Cert Authorities.


So why is Opera failing when going to google.com?
Ideas?

Thanks!
Linda




  Your connection is not private

This server could not prove that it is *www.google.com*; its security
certificate does not specify Subject Alternative Names. This may be
caused by a misconfiguration or an attacker intercepting your connection.

You cannot proceed because the website operator has requested heightened
security for this domain.

Back to safety


        Help me understand

When you connect to a secure website, the server hosting that site
presents your browser with something called a "certificate" to verify
its identity. This certificate contains identity information, such as
the address of the website, which is verified by a third party that your
computer trusts. By checking that the address in the certificate matches
the address of the website, it is possible to verify that you are
securely communicating with the website you intended, and not a third
party (such as an attacker on your network).

You cannot visit www.google.com right now because the website uses HSTS.
Network errors and attacks are usually temporary, so this page will
probably work later.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Opera (Win7SP1-x64) not connecting to google.com because of "HSTS"?

Yuri Voinov


23.10.2017 23:51, L A Walsh пишет:

> I've seen this before w/google in Opera -- but it doesn't seem
> to happen with IE or Palemoon (both going through my SSL-bumping proxy).
> Even my housemate, going through the proxy using Chrome doesn't
> get this error (it also uses the system cert location).
> When I bring up the security dialog in Opera, it brings up the same
> dialog I see under the Win Control Panel under Internet Settings,
> the "Content" tab -- where I see Certificates.  My proxy cert is
> listed under the Trusted Root Cert Authorities.
>
>
> So why is Opera failing when going to google.com?
> Ideas?
Try to add this:

# Disable HSTS
reply_header_access Strict-Transport-Security deny all
reply_header_replace Strict-Transport-Security max-age=0; includeSubDomains

in your config.

>
> Thanks!
> Linda
>
>
>
>
>  Your connection is not private
>
> This server could not prove that it is *www.google.com*; its security
> certificate does not specify Subject Alternative Names. This may be
> caused by a misconfiguration or an attacker intercepting your connection.
>
> You cannot proceed because the website operator has requested
> heightened security for this domain.
>
> Back to safety
>
>
>        Help me understand
>
> When you connect to a secure website, the server hosting that site
> presents your browser with something called a "certificate" to verify
> its identity. This certificate contains identity information, such as
> the address of the website, which is verified by a third party that
> your computer trusts. By checking that the address in the certificate
> matches the address of the website, it is possible to verify that you
> are securely communicating with the website you intended, and not a
> third party (such as an attacker on your network).
>
> You cannot visit www.google.com right now because the website uses
> HSTS. Network errors and attacks are usually temporary, so this page
> will probably work later.
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
--
**************************
* C++: Bug to the future *
**************************


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

0x3E3743A7.asc (2K) Download Attachment
signature.asc (673 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Opera (Win7SP1-x64) not connecting to google.com because of "HSTS"?

L. A. Walsh
Yuri wrote:
>
> Try to add this:
>
> # Disable HSTS
> reply_header_access Strict-Transport-Security deny all
> reply_header_replace Strict-Transport-Security max-age=0; includeSubDomains
>  

Sorry, but no difference.

I placed them between these keywords -- just above the request_header_add
comment (if that makes any difference).



#  TAG: reply_header_replace
#        Usage:   reply_header_replace header_name message
#        Example: reply_header_replace Server Foo/1.0
#
#        This option allows you to change the contents of headers
#        denied with reply_header_access above, by replacing them
#        with some fixed string.
#
#        This only applies to reply headers, not request headers.
#
#        By default, headers are removed if denied.
#Default:
# none

#Disable HSTS

reply_header_access Strict-Transport-Security deny all
reply_header_replace Strict-Transport-Security max-age=0; includeSubDomains

#  TAG: request_header_add
#    Usage:   request_header_add field-name field-value acl1 [acl2] ...
#    Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all
#

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Opera (Win7SP1-x64) not connecting to google.com because of "HSTS"?

Yuri Voinov
Sadly, I have no Opera to test. This works perfectly with
Chrome/Firefox. Of course, it is require to reconfigure squid ;)


24.10.2017 4:12, L A Walsh пишет:

> Yuri wrote:
>>
>> Try to add this:
>>
>> # Disable HSTS
>> reply_header_access Strict-Transport-Security deny all
>> reply_header_replace Strict-Transport-Security max-age=0;
>> includeSubDomains
>>  
>
> Sorry, but no difference.
>
> I placed them between these keywords -- just above the request_header_add
> comment (if that makes any difference).
>
>
>
> #  TAG: reply_header_replace
> #        Usage:   reply_header_replace header_name message
> #        Example: reply_header_replace Server Foo/1.0
> #
> #        This option allows you to change the contents of headers
> #        denied with reply_header_access above, by replacing them
> #        with some fixed string.
> #
> #        This only applies to reply headers, not request headers.
> #
> #        By default, headers are removed if denied.
> #Default:
> # none
>
> #Disable HSTS
>
> reply_header_access Strict-Transport-Security deny all
> reply_header_replace Strict-Transport-Security max-age=0;
> includeSubDomains
>
> #  TAG: request_header_add
> #    Usage:   request_header_add field-name field-value acl1 [acl2] ...
> #    Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all
> #
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
--
**************************
* C++: Bug to the future *
**************************


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

0x3E3743A7.asc (2K) Download Attachment
signature.asc (673 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Opera (Win7SP1-x64) not connecting to google.com because of "HSTS"?

L. A. Walsh
Yuri wrote:
> Sadly, I have no Opera to test. This works perfectly with
> Chrome/Firefox. Of course, it is require to reconfigure squid ;)
>  
----
    Well rats!.... um, it is a free download for Win/Mac & Linux
@ http://www.opera.com/computer. :~)

Not sure about mobile versions...

    I don't use it as a mainstay, but I like to have at least 2-4
different browsers to try things on.  Opera is pretty fast though
not very easy to customize.  ;-/ (even customizing security seems
to be a problem at times... ;-)).  I do have both FF and IE
working on google ... I'm a bit wary of google -- it tends to
swamp my computer when it starts (and the more resources it takes,
the more I like to shut it down when I do something else), not to
mention they have too many ways to get my data now as it is.  ;-)

-linda

   

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Opera (Win7SP1-x64) not connecting to google.com because of "HSTS"?

Yuri Voinov
Waaaaaaaaa, I dont like to make zoo on my laptop...... It is not
softwarehouse, and, of course, not in junk dump ;)

Well, may be test now on my remote station behind proxy. It is junk dump
as well. :)

24.10.2017 5:28, L A Walsh пишет:

> Yuri wrote:
>> Sadly, I have no Opera to test. This works perfectly with
>> Chrome/Firefox. Of course, it is require to reconfigure squid ;)
>>  
> ----
>    Well rats!.... um, it is a free download for Win/Mac & Linux
> @ http://www.opera.com/computer. :~)
>
> Not sure about mobile versions...
>    I don't use it as a mainstay, but I like to have at least 2-4
> different browsers to try things on.  Opera is pretty fast though
> not very easy to customize.  ;-/ (even customizing security seems
> to be a problem at times... ;-)).  I do have both FF and IE
> working on google ... I'm a bit wary of google -- it tends to
> swamp my computer when it starts (and the more resources it takes,
> the more I like to shut it down when I do something else), not to
> mention they have too many ways to get my data now as it is.  ;-)
>
> -linda
>
>  
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
--
**************************
* C++: Bug to the future *
**************************


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

0x3E3743A7.asc (2K) Download Attachment
signature.asc (673 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Opera (Win7SP1-x64) not connecting to google.com because of "HSTS"?

Yuri Voinov
In reply to this post by L. A. Walsh
https://i.imgur.com/oNbX7pB.png

https://i.imgur.com/x9rkaxd.png

https://i.imgur.com/97YOGjA.png

I see absolutely no problem with  Opera and HSTS via my proxy, as by as
Chrome/Firefox. As shown on screenshoots.

I see access.log entries and no errors in cache.log.

Works like charm.


24.10.2017 5:28, L A Walsh пишет:

> Yuri wrote:
>> Sadly, I have no Opera to test. This works perfectly with
>> Chrome/Firefox. Of course, it is require to reconfigure squid ;)
>>  
> ----
>    Well rats!.... um, it is a free download for Win/Mac & Linux
> @ http://www.opera.com/computer. :~)
>
> Not sure about mobile versions...
>    I don't use it as a mainstay, but I like to have at least 2-4
> different browsers to try things on.  Opera is pretty fast though
> not very easy to customize.  ;-/ (even customizing security seems
> to be a problem at times... ;-)).  I do have both FF and IE
> working on google ... I'm a bit wary of google -- it tends to
> swamp my computer when it starts (and the more resources it takes,
> the more I like to shut it down when I do something else), not to
> mention they have too many ways to get my data now as it is.  ;-)
>
> -linda
>
>  
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
--
**************************
* C++: Bug to the future *
**************************


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

0x3E3743A7.asc (2K) Download Attachment
signature.asc (673 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Opera (Win7SP1-x64) not connecting to google.com because of "HSTS"?

L. A. Walsh
Yuri wrote:
> I see absolutely no problem with  Opera and HSTS via my proxy, as by as
> Chrome/Firefox. As shown on screenshoots.
>  
Well poo!... I see your access... but still have probs on my end.

I don't have it on IE or Pale moon.

I tried private mode on google -- same problem.

I also am trying VPN builtin to Opera -- it works.

Verifying: you didn't have to add your cert to anything for
Opera -- it just uses your Win cert store, right?

This is strange...


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Opera (Win7SP1-x64) not connecting to google.com because of "HSTS"?

Yuri Voinov


25.10.2017 8:14, L A Walsh пишет:

> Yuri wrote:
>> I see absolutely no problem with  Opera and HSTS via my proxy, as by as
>> Chrome/Firefox. As shown on screenshoots.
>>  
> Well poo!... I see your access... but still have probs on my end.
>
> I don't have it on IE or Pale moon.
>
> I tried private mode on google -- same problem.
>
> I also am trying VPN builtin to Opera -- it works.
>
> Verifying: you didn't have to add your cert to anything for
> Opera -- it just uses your Win cert store, right?
Exactly.
>
> This is strange...
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

--
**************************
* C++: Bug to the future *
**************************


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

0x3E3743A7.asc (2K) Download Attachment
signature.asc (673 bytes) Download Attachment