-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 04.02.2015 2:39, Eliezer Croitoru пишет: > Hey Yuri, > > From what I remember before squid passes data into ssl_crtd can debug the certificates of the requested sites. > If you will record\log them you can run a script throw them and find the culprit pretty fast(relatively). > > What debug sections have you tried using to debug it? > Since squid uses openssl libs it's probably do not know about the CA and there for not much details about it. OpenSSL knows about CA's. With capath= option in https_port. It uses it to verify connection from cache to server. > > I would say that the URL is not important in the case of an intercept proxy. It is important to localize CA's problem. When I can see problem URL - I can look ath this and find, which CA was used. > In the case it's a regular forward proxy with ssl_bump you can run throw the list of CONNECT requests which logged before the decryption of the tunnel. I use interception proxy. BTW, with over 100 requests per second and corellation analyzes of two logs? access.log and cache.log? Bad idea, I think. > > What squid.conf rules are you using? > > I noticed you assume that squid passes URL to ssl_crtd and it's not how it works. This is no matter. I want to find only easy way to catch problem SSL connections through Squid. > > All The Bests, > Eliezer > > On 03/02/2015 16:26, Yuri Voinov wrote: >> Hi gents, >> >> I think, will be good to add advanced debug options to ssl_crtd to avoid >> this: >> >> 2015/02/03 20:21:37 kid1| clientNegotiateSSL: Error negotiating SSL >> connection on FD 28: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 >> alert unknown ca (1/0) >> >> Now we have no one tools to diagnose the situations above. Excluding own >> eyes and brains. And - telepathy. > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJU0TQXAAoJENNXIZxhPexGmPEH/iHVCwE821tkAxdwtHlKaCS3 wobvZVx9HAx7Q2C3S7VNR1wgtysG0psQd6P9UX6qniJpZAugZ5R27oLh0xDLtJgt KZ7Uz0lpIkwTP5pJNmNAqA7vvPdJX6mkEEBK9ENBDGpjHo4wVvaRNfn+XXx/dfhn k2m/ial6q0ZZ6WtLltjj0Fq73MdatQJefSWLPatTj7eMHDeACSxL/A0Me8EoyE/v uYcTpIf2C/jy8A3x9DLGZMM+RXvtIWBJTR1ct3PrZMMLuaw0o0XAzbYPNY05RK7b vyCuY2Ua+NrcTw0LX05vhdCwJnlvK6rh/Vi6M3yEivAkp0itjv2ZbpM3pNFD+NU= =ajrM -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
