On 5/12/2013 4:54 a.m., iishiii wrote: > after again building Squid 3.4.0.3 > now am getting this error > <snip> > 2013/12/04 20:49:01| fwdNegotiateSSL: Error negotiating SSL connection on FD > 10: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate > verify failed (1/-1/0) > 2013/12/04 20:49:57| fwdNegotiateSSL: Error negotiating SSL connection on FD > 66: error:00000000:lib(0):func(0):reason(0) (5/0/0) > > > still can open facebook or https sites correctly ... pages are broken and a > lot of security alerts...any idea ??? This is the certificate validation of outbound SSL connections from Squid to some servers. The server certificate is invalid as far as Squid can tell. 1) double- and triple- check that your Squids outbound connections on port 443 are not being diverted back into Squid. 2) check if you ca-certificates on the Squid machine is up to date. Old CA cert collections can fail to verify up-to-date servers in exactly this way. 3) check what version of OpenSSL you are using. The big popular sites are known to be using relatively recent SSL features in their certificates. If your library is very old you may see these types of errors as verification fails on some obscure library bugs. ... 99) check if your upstream service provider is performing SSL interception. Your Squid may simply be detecting their forged certs if so. Amos
