|
28.10.15 16:47, Amos Jeffries пишет:
I think so, "From the remote end". If we have web-server with CA, which is not exists on our proxy, we must install it (which means "trust them", yea?) in our proxy manually.On 28/10/2015 11:35 p.m., Yuri Voinov wrote:Hi gents. I think, all of you who use Bump, seen much this messages in your cache.log. SSL3_READ_BYTES:sslv3 alert certificate unknown AFAIK, no way to identify which CA is absent in your setup. I propose to consider the following questions: how do properly support SSL proxy, if you can not identify the problem certificates? Telepaths sunbathing in Bali. The procedure, which currently can not quickly and in any way to effectively determine such a certificate. At the moment, the situation is as follows. SSL library - a thing in itself, it runs by itself and does not write any logs. Squid - itself and any useful information on the library does not receive but obscure diagnostic messages. The possibility in any way specify the SSL library diagnostic messages we have, and, as I understand it, will not. So, any ideas?Make sure Squid is sending the whole CA chain to the remote end? I have idiotic idea - Squid fetch remote CA and offer us to trust and install interactively. :) This is, of course, clinically idiotism. :) But - to support real Squid installation with thoursands users, I really want to know, which CA's not exists from my side. Intermediate CA's is no matter - if we have root CA already, fetch intermediate chain is not big problem. In this case, however, we faced unknown root CA exactly. Yes? And so what? Yea, I can kick all users, watch huge access.log, trying to identify problem URL row by row, execute curl/wget. And? Do this procedure every day? This is not the best a waste of time. Of course, the OpenSSL developers have to tear off his hands. But what about us, smart and handsome? ;) Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
