Got it, i did not have my full list of signing authority certificates installed in the right local. i updated these using: apt-get install openssl ca-certificates Then copied the certs from the /etc/ssl/certs directory into my openssl installation directory. works great now! Amos Jeffries-2 wrote: > > On Tue, 27 Oct 2009 12:54:03 -0700 (PDT), vandermeer > <jason.vandermeer@xxxxxxxxx> wrote: >> I have squid 3.1.0.14 running with the configuration below to forward >> decrypted traffic from sslBump to icap for inspection. >> >> When i browse non SSL sites with sslBump enabled everything is fine >> >> When i browse SSL sites with sslbump disabled everything is fine. >> >> When I browse SSL sites with sslbump enabled i receive the following >> errors: >> >> 2009/10/27 10:57:41| SSL unknown certificate error 19 in >> /C=US/ST=Arizona/L=Phoenix/O=American Express Company/OU=Web >> Hosting/CN=www.americanexpress.com >> >> 2009/10/27 10:57:41| fwdNegotiateSSL: Error negotiating SSL connection > on >> FD >> 14: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate >> verify failed (1/-1/0) > > This is Squid SSL library failing to verify the real _web server_ > certificate. > > There are a couple of things to check. > * you have correct and most recent signing authority certificates etc to > verify theirs against. > * your SSL library being used by Squid is capable of SSLv3 9which their > site appears to require) > > There is a slim chance it could actually be a case of site forgery (your > upstream doing SslBump would be pure irony). > >> >> My certificate is my company wildcard certificate. > > That only affects the browsers visiting through your Squid. Which seems > fine so far. > >> >> Squid Config: >> >> icap_enable on >> >> icap_service service_req reqmod_precache 1 >> icap://10.207.214.22:1344/request >> adaptation_access service_req allow all >> >> icap_service service_resp respmod_precache 0 >> icap://10.207.214.22:1344/response >> adaptation_access service_resp allow all >> >> # configure the HTTP port to bump CONNECT requests >> http_port 3128 sslBump cert=/usr/local/squid/etc/cert.pem >> >> >> # Bumped requests have relative URLs so Squid has to use reverse proxy >> # or accelerator code. By default, that code denies direct forwarding. >> # The need for this option may disappear in the future. >> always_direct allow all >> > > So far so good. However I see you have cut-n-pasted the example config and > trying to run it. > The following bits are probably not needed. > >> # avoid bumping requests to sites that Squid cannot proxy well >> acl broken_sites dstdomain .webax.com >> ssl_bump deny broken_sites >> ssl_bump allow all >> >> # ignore certain certificate errors or >> # ignore errors with certain cites (very dangerous!) >> acl TrustedName url_regex ^https://weserve.badcerts.com/ >> acl BogusError ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH >> sslproxy_cert_error allow TrustedName >> sslproxy_cert_error allow BogusError >> sslproxy_cert_error deny all > > > Amos > > -- View this message in context: http://www.nabble.com/sslBump%2C-error-SSL-unknown-certificate-error-tp26084033p26095332.html Sent from the Squid - Users mailing list archive at Nabble.com.
