-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I seen the same - just no lough! - with https://instagram.com :) Yes, I know, selfie is evil :) 13.01.16 23:10, squid@xxxxxxxxxxxxx пишет: > > Hello together, > > I am using Squid 3.5.12 with Kerberos Authentication only and ClamAV on Debian Jessie. > > My Proxy is working very nice, but now I've found an issue with just one SSL Website. > > It would be nice to know if others can reproduce this Issue. > > Target website is: https://www.shop-fonic-mobile.de/ > > While trying to access this website, a blank page is displayed without any source code in it. > > Cache Log says on each attempt: > Squid 2016/01/13 17:43:43 kid1| Error negotiating SSL on FD 22: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0) > > Access Log for each attempt: > 1452703599.547 0 10.0.0.4 TCP_DENIED/407 4189 CONNECT www.shop-fonic-mobile.de:443 - HIER_NONE/- text/html > 1452703599.832 272 10.0.0.4 TAG_NONE/200 0 CONNECT www.shop-fonic-mobile.de:443 MYUSER HIER_NONE/- - > 1452703599.888 52 10.0.0.4 TCP_MISS/503 402 GET https://www.shop-fonic-mobile.de/ MYUSER HIER_DIRECT/85.158.6.195 text/html > > SSL Bumping generated a valid certificate for this site using my internal CA. > > I can reproduce the error only on this website everything else is working nicely and if Squid can't validate an external SSL Certificate it display an error of course. > > I currently fixed it by adding it to my SSL_TrustedSites ACL. > > > This is my Bump config: > > http_port 8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl/myca.pem > ssl_bump splice localhost > ssl_bump bump all > sslproxy_cert_error allow SSL_TrustedSites > sslproxy_cert_error deny all > > > Expected behavior of Squid: If Squid can't validate an SSL Certificate then an error should be displayed as it does on all other sites with invalid certificates. > But it seems that the first check of squid recognizes the Certificate as valid otherwise it would display an error and squid generates a valid cert for the client and then squid seems to no beeing able to validate it at this point again. > > The Target Website SSL Chain is as follows: > CA <- Part of the Ca certificates > -- Intermediate <- not a part of the ca-certificates > -----website > > So I believe somehow on the initial request squid can validate the full chain and as soon as the client receives the generated cert it can't look up the whole chain because it trys to validate against the intermediate CA only and lost the path to the Root CA and fails of course. Again only the Root CA is known by the system (ca-certificates). > > Please let me know if someone can reproduce this Issue. > > BTW: > Found another Issue in Squid 3.5.12 regarding Error Messages, "mailto:"; links which are generating an error mail do not work anymore. Maybe this is related to Kerberos Authentication which maybe makes the url encoded string longer than before. I've found out that somewhere at the last part of the urlencoded link the error is in. Couldn't pin point it. > > Best regards, > > Enrico > > > > > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWlpUYAAoJENNXIZxhPexGpHAH/0T20R7PapqhQMYethDrnntK eWpKSIyASFs0dHErJ7YLdvqsY/JXkLH2WLO6B8v16JqaizLzELQZNu8sENCF92nG 1F68GFyWEtqgD5yynOHsxVwY2wrNInV1FeC3Ll+iwP5tZKcU4dN/GZotzUZdvkMr FNLNjzp03bXCq9kM+mvOqD0iaYi+kZjliwKQ6LiuzF0ItFsJlOL/eR5y9oAdgU5N HE7jTEt3DU1oXZp48QKKOLDj2LfQuQbhCcZJ/XmAL9mZePvJeEf9JaRka2Qz6M1U 0Nl/Mh2oDplZhobmVRSNLGa+iyb/pbCtwX7cUbLkpiagb9aZwaHWc8Jv+kv40dw= =2ClN -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
