On 10/28/2015 08:09 AM, Yuri Voinov wrote: > At a minimum, it should write the information on them in the log - in > an understandable form I suspect everybody agrees with that statement. I am sure this will be implemented eventually. No need to argue about that. Alex. > 28.10.15 19:55, Amos Jeffries пишет: >> On 28/10/2015 11:57 p.m., Yuri Voinov wrote: >>> >>> >>> 28.10.15 16:47, Amos Jeffries пишет: >>>> On 28/10/2015 11:35 p.m., Yuri Voinov wrote: >>>>> Hi gents. >>>>> >>>>> I think, all of you who use Bump, seen much this messages in your >>>>> cache.log. >>>>> >>>>> SSL3_READ_BYTES:sslv3 alert certificate unknown >>>>> >>>>> AFAIK, no way to identify which CA is absent in your setup. >>>>> >>>>> I propose to consider the following questions: how do properly support >>>>> SSL proxy, if you can not identify the problem certificates? Telepaths >>>>> sunbathing in Bali. The procedure, which currently can not quickly and >>>>> in any way to effectively determine such a certificate. >>>>> >>>>> At the moment, the situation is as follows. SSL library - a thing in >>>>> itself, it runs by itself and does not write any logs. Squid - itself >>>>> and any useful information on the library does not receive but obscure >>>>> diagnostic messages. The possibility in any way specify the SSL library >>>>> diagnostic messages we have, and, as I understand it, will not. >>>>> >>>>> So, any ideas? >>>> Make sure Squid is sending the whole CA chain to the remote end? >>> I think so, "From the remote end". If we have web-server with CA, which >>> is not exists on our proxy, we must install it (which means "trust >>> them", yea?) in our proxy manually. >>> >>> I have idiotic idea - Squid fetch remote CA and offer us to trust and >>> install interactively. :) This is, of course, clinically idiotism. :) >>> > >> That is what the Browsers do. It has been suggested to write a cert >> validator that does it too. > > >>> But - to support real Squid installation with thoursands users, I really >>> want to know, which CA's not exists from my side. >>> >>> Intermediate CA's is no matter - if we have root CA already, fetch >>> intermediate chain is not big problem. >>> >>> In this case, however, we faced unknown root CA exactly. >>> >>> Yes? > >> I doubt. Chains do not have length limits and IIRC you can't know that >> it is a root CA until you actually have it and see that it is >> self-signed. At which point it is not "certificate unknown" anymore. > >> What is missing is just some CA in the chain. It needs to be located >> somehow, only then can the decision happen about whether to trust or not >> and see if another up the chain is needed too. > > >>> >>> And so what? > >> So by walking the chain and filling in as needed the cert validator >> helper can probably fill the whole sequence in and reach a root CA that >> is already trusted and tells you the found ones can be too. That is what >> the Browsers do. > > >> Amos >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
