Hello together,
I am using Squid 3.5.12 with Kerberos Authentication only and ClamAV
on Debian Jessie.
My Proxy is working very nice, but now I've found an issue with just
one SSL Website.
It would be nice to know if others can reproduce this Issue.
Target website is: https://www.shop-fonic-mobile.de/
While trying to access this website, a blank page is displayed without
any source code in it.
Cache Log says on each attempt:
Squid 2016/01/13 17:43:43 kid1| Error negotiating SSL on FD 22:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate
verify failed (1/-1/0)
Access Log for each attempt:
1452703599.547 0 10.0.0.4 TCP_DENIED/407 4189 CONNECT
www.shop-fonic-mobile.de:443 - HIER_NONE/- text/html
1452703599.832 272 10.0.0.4 TAG_NONE/200 0 CONNECT
www.shop-fonic-mobile.de:443 MYUSER HIER_NONE/- -
1452703599.888 52 10.0.0.4 TCP_MISS/503 402 GET
https://www.shop-fonic-mobile.de/ MYUSER HIER_DIRECT/85.158.6.195
text/html
SSL Bumping generated a valid certificate for this site using my internal CA.
I can reproduce the error only on this website everything else is
working nicely and if Squid can't validate an external SSL Certificate
it display an error of course.
I currently fixed it by adding it to my SSL_TrustedSites ACL.
This is my Bump config:
http_port 8080 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl/myca.pem
ssl_bump splice localhost
ssl_bump bump all
sslproxy_cert_error allow SSL_TrustedSites
sslproxy_cert_error deny all
Expected behavior of Squid: If Squid can't validate an SSL Certificate
then an error should be displayed as it does on all other sites with
invalid certificates.
But it seems that the first check of squid recognizes the Certificate
as valid otherwise it would display an error and squid generates a
valid cert for the client and then squid seems to no beeing able to
validate it at this point again.
The Target Website SSL Chain is as follows:
CA <- Part of the Ca certificates
-- Intermediate <- not a part of the ca-certificates
-----website
So I believe somehow on the initial request squid can validate the
full chain and as soon as the client receives the generated cert it
can't look up the whole chain because it trys to validate against the
intermediate CA only and lost the path to the Root CA and fails of
course. Again only the Root CA is known by the system (ca-certificates).
Please let me know if someone can reproduce this Issue.
BTW:
Found another Issue in Squid 3.5.12 regarding Error Messages,
"mailto:" links which are generating an error mail do not work
anymore. Maybe this is related to Kerberos Authentication which maybe
makes the url encoded string longer than before. I've found out that
somewhere at the last part of the urlencoded link the error is in.
Couldn't pin point it.
Best regards,
Enrico
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users