Search squid archive

Re: sslBump, error SSL unknown certificate error

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 27 Oct 2009 12:54:03 -0700 (PDT), vandermeer
<jason.vandermeer@xxxxxxxxx> wrote:
> I have squid 3.1.0.14 running with the configuration below to forward
> decrypted traffic from sslBump to icap for inspection. 
> 
> When i browse non SSL sites with sslBump enabled everything is fine
> 
> When i browse SSL sites with sslbump disabled everything is fine. 
> 
> When I browse SSL sites with sslbump enabled i receive the following
> errors:
> 
> 2009/10/27 10:57:41| SSL unknown certificate error 19 in
> /C=US/ST=Arizona/L=Phoenix/O=American Express Company/OU=Web
> Hosting/CN=www.americanexpress.com
> 
> 2009/10/27 10:57:41| fwdNegotiateSSL: Error negotiating SSL connection
on
> FD
> 14: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed (1/-1/0)

This is Squid SSL library failing to verify the real _web server_
certificate.

There are a couple of things to check.
 * you have correct and most recent signing authority certificates etc to
verify theirs against.
 * your SSL library being used by Squid is capable of SSLv3 9which their
site appears to require)

There is a slim chance it could actually be a case of site forgery (your
upstream doing SslBump would be pure irony).

> 
> My certificate is my company wildcard certificate.

That only affects the browsers visiting through your Squid. Which seems
fine so far.

> 
> Squid Config:
> 
> icap_enable on
> 
> icap_service service_req reqmod_precache 1
> icap://10.207.214.22:1344/request
> adaptation_access service_req allow all
> 
> icap_service service_resp respmod_precache 0
> icap://10.207.214.22:1344/response
> adaptation_access service_resp allow all
> 
> # configure the HTTP port to bump CONNECT requests
> http_port 3128 sslBump cert=/usr/local/squid/etc/cert.pem
> 
> 
> # Bumped requests have relative URLs so Squid has to use reverse proxy
> # or accelerator code. By default, that code denies direct forwarding.
> # The need for this option may disappear in the future.
> always_direct allow all
> 

So far so good. However I see you have cut-n-pasted the example config and
trying to run it.
The following bits are probably not needed.

> # avoid bumping requests to sites that Squid cannot proxy well
> acl broken_sites dstdomain .webax.com
> ssl_bump deny broken_sites
> ssl_bump allow all
> 
> # ignore certain certificate errors or
> # ignore errors with certain cites (very dangerous!)
> acl TrustedName url_regex ^https://weserve.badcerts.com/
> acl BogusError ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
> sslproxy_cert_error allow TrustedName
> sslproxy_cert_error allow BogusError
> sslproxy_cert_error deny all


Amos

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux