Squid Proxy - SSL inspection and HSTS

[Reggle]

Hi all,

I've got a Squid proxy up and running on a Linux server with SSL inspection (so yes, a MITM). I generated a root CA cert, imported it in Chrome and Firefox and everything *was* working as expected. Every site showed my certificate except the ones I whitelisted myself.

The problem is that the net day it stops working. Every time I clear the cache and generate a new rot CA and import it in the browser, it works for a day. The next it doesn't.

Both Chrome and Firefox complain about HSTS (https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) and don't allow me access anymore. On top of that I get an error "mozilla_pkix_error_ca_cert_used_as_end_entity" in Firefox.
It seems the certs that are generated on the fly using my root cert are valid for only some time, although the certificates themselves clearly are valid for three months.

I am not a PKI expert and certainly not for HSTS. Anyone have an idea what's going on here and how I solve this?

[deanwebb]

How's your NTP?

[Reggle]

Everything points to the same internal NTP server, which is correct.
Thanks for the tip though, I hadn't thought of that yet.

[SimonV]

Check this on mozilla bug central:

https://bugzilla.mozilla.org/show_bug.cgi?id=1034124

Looks like you need to add an attribute to your cert, or change Mozilla to accept it

[Reggle]

Thanks Simon. I figured out something: both the HSTS and the CA-thing from the Mozilla bug central are attributes passed on by the certificate and somehow cause I conflict.
I was using 'ssl_bump server-first' for the SSL interception, so a HTTPS connection was first made to the server by the proxy and as much information as possible was copied from that certificate into the one generated for the client.
I've now switched to 'ssl_bump client-first' where this doesn't happen and so far this seems to work. The attributes causing the issues seem missing.

I'm going to monitor this for a while.