Search squid archive

tlsv1 alert errors

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



So I got squid to intercept http and https traffic, but I get the following error on any https access

2015/02/23 12:50:15 kid1| clientNegotiateSSL: Error negotiating SSL connection o n FD 28: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0
)

This of course leads to all kinds of site untrusted/compromised errors in client browsers.

From looking in the archives this usually occurs because of a missing/outdated root CA file.
I have the following liness in squid.conf

https_port 127.0.0.1:3127 intercept ssl-bump \
  generate-host-certificates=on \
  dynamic_cert_mem_cache_size=16MB \
  cert=/etc/squid/ssl_cert/MyCA.pem\
cafile=/etc/ssl/cert.pem # tried without the cafile cirective here as well


https_port [::1]:3127 intercept ssl-bump \
  generate-host-certificates=on \
  dynamic_cert_mem_cache_size=16MB \
  cert=/etc/squid/ssl_cert/MyCA.pem\
  cafile=/etc/ssl/cert.pem #tried without the cafile directive here as well

#
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /data/squid/ssl_db -M 16MB
sslcrtd_children 10
always_direct allow all
sslproxy_cert_error allow all
ssl_bump server-first all
sslproxy_cafile /etc/ssl/cert.pem
#sslproxy_cert_error allow all
#sslproxy_flags DONT_VERIFY_PEER

The /etc/ssl/cert.pem file distributed with openbsd 5.6 has 44 root ca's listed (see below).

Is there anyway to get squid to tell me which CA is unknown? If so I can get that CA file and add it in. Or is there a place to get a good rootca.pem file? Or is something else wrong?

Thanks muchly for helping the newbie.

Alan

the openbsd5.6 cert.pem contains the following issuers/certificates:
# grep Issuer /etc/ssl/cert.pem
Issuer: C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, Inc., CN=G
TE CyberTrust Global Root
        Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSig
n Trust Network
        Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
        Issuer: OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
        Issuer: OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign
Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=C ertification Services Division, CN=Thawte Premium Server CA/emailAddress=premium
-server@xxxxxxxxxx
Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=C ertification Services Division, CN=Thawte Server CA/emailAddress=server-certs@th
awte.com
Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification
Authority
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 V eriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Cert
ification Authority - G5
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 1999 V eriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Cert
ification Authority - G3
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2007 V eriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Cert
ification Authority - G4
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2008 V eriSign, Inc. - For authorized use only, CN=VeriSign Universal Root Certificatio
n Authority
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 1999 V eriSign, Inc. - For authorized use only, CN=VeriSign Class 4 Public Primary Cert
ification Authority - G3
Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN
=StartCom Certification Authority
Issuer: L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Class 2 Policy Validation Authority, CN=http://www.valicert.com//emailAddress=info@xxxxxxxxxxxx Issuer: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification Authority Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA Issuer: C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1 Issuer: C=US, O=Equifax Secure Inc., CN=Equifax Secure eBusiness CA-1
        Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
        Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA 2
Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Primary Certification Authority Issuer: C=US, O=GeoTrust Inc., OU=(c) 2008 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G3
        Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA
        Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA 2
Issuer: C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2 Issuer: C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority Issuer: C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Root Certificate Authority - G2 Issuer: C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2 Issuer: C=IL, O=StartCom Ltd., CN=StartCom Certification Authority G2 Issuer: C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA Issuer: C=US, O=thawte, Inc., OU=(c) 2007 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA - G2 Issuer: C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2008 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA - G3 Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root Issuer: C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware Issuer: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root Issuer: C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center, CN=Deutsche Telekom Root CA 2 Issuer: C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 2 Issuer: C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 3

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux