I have squid 3.1.0.14 running with the configuration below to forward decrypted traffic from sslBump to icap for inspection. When i browse non SSL sites with sslBump enabled everything is fine When i browse SSL sites with sslbump disabled everything is fine. When I browse SSL sites with sslbump enabled i receive the following errors: 2009/10/27 10:57:41| SSL unknown certificate error 19 in /C=US/ST=Arizona/L=Phoenix/O=American Express Company/OU=Web Hosting/CN=www.americanexpress.com 2009/10/27 10:57:41| fwdNegotiateSSL: Error negotiating SSL connection on FD 14: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0) My certificate is my company wildcard certificate. Squid Config: icap_enable on icap_service service_req reqmod_precache 1 icap://10.207.214.22:1344/request adaptation_access service_req allow all icap_service service_resp respmod_precache 0 icap://10.207.214.22:1344/response adaptation_access service_resp allow all # configure the HTTP port to bump CONNECT requests http_port 3128 sslBump cert=/usr/local/squid/etc/cert.pem # Bumped requests have relative URLs so Squid has to use reverse proxy # or accelerator code. By default, that code denies direct forwarding. # The need for this option may disappear in the future. always_direct allow all # avoid bumping requests to sites that Squid cannot proxy well acl broken_sites dstdomain .webax.com ssl_bump deny broken_sites ssl_bump allow all # ignore certain certificate errors or # ignore errors with certain cites (very dangerous!) acl TrustedName url_regex ^https://weserve.badcerts.com/ acl BogusError ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH sslproxy_cert_error allow TrustedName sslproxy_cert_error allow BogusError sslproxy_cert_error deny all -- View this message in context: http://www.nabble.com/sslBump%2C-error-SSL-unknown-certificate-error-tp26084033p26084033.html Sent from the Squid - Users mailing list archive at Nabble.com.
