|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 In additional, this is very old problem: http://answers.microsoft.com/en-us/windows/forum/windows8_1-update/ssl-problem-with-windows-update-error-0x800b0109d/df2c5206-7304-4e42-ac4b-40d00bfbca87?auth=1 Damned M$. 27.03.16 2:01, Yuri Voinov пишет: > > Found and solved. > > root @ cthulhu / # openssl s_client -connect fe2.update.microsoft.com:443 > CONNECTED(00000003) > depth=1 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, > CN = Microsoft Update Secure Server CA 2.1 > verify error:num=20:unable to get local issuer certificate > verify return:0 > --- > Certificate chain > 0 > s:/C=US/ST=Washington/L=Redmond/O=Microsoft/OU=DSP/CN=fe2.update.microsoft.com > i:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft > Update Secure Server CA 2.1 > 1 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft > Update Secure Server CA 2.1 > i:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft > Root Certificate Authority 2011 > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIF5TCCA82gAwIBAgITMwAAAFRKWJwXUQHpvwAAAAAAVDANBgkqhkiG9w0BAQsF > ADCBhDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT > B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEuMCwGA1UE > AxMlTWljcm9zb2Z0IFVwZGF0ZSBTZWN1cmUgU2VydmVyIENBIDIuMTAeFw0xNTEy > MTYxOTM4MDdaFw0xNjA1MTYxOTM4MDdaMHkxCzAJBgNVBAYTAlVTMRMwEQYDVQQI > EwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMRIwEAYDVQQKEwlNaWNyb3Nv > ZnQxDDAKBgNVBAsTA0RTUDEhMB8GA1UEAxMYZmUyLnVwZGF0ZS5taWNyb3NvZnQu > Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt9yv6P/FzJvxW5Wx > /klFQ1o9BO0qyAr7u5nYeLbGiwnVOSj8qIZ6t4GoqHq6spDGuqFfRF0u/eeZY0bq > hncHjJHm4YZ9KHOvhObBJ0fHbTyyyXRYxHe1rk+4o4M1SszvAviY2zGKvc6Euik9 > p3erPxocB2nwbEn82JkNxS0UjcmKpUDmFNYMe5O+MJ3ngKCv62SbmJXAH3ZWq7yJ > xNTgQjrXCKHxVDmC2TrC2f7/35gGH3OksOthD9zCkKTw+y+pJ0n3AO7ahrdj+pB4 > uyQzb0K077xeAIY54eoTuhL2d3vDCDwt4m0YJccl464IGjtF99nt8DlRriGig5Wg > T8+28QIDAQABo4IBWDCCAVQwDgYDVR0PAQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsG > AQUFBwMBMB0GA1UdDgQWBBRf9/DNbWTCucVV/ag9JpVQ+JLldjAfBgNVHSMEGDAW > gBTS8j2EdIYbUIWqXeWlB5rwR9MuaTBoBgNVHR8EYTBfMF2gW6BZhldodHRwOi8v > d3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNyb3NvZnQlMjBVcGRhdGUl > MjBTZWN1cmUlMjBTZXJ2ZXIlMjBDQSUyMDIuMS5jcmwwdQYIKwYBBQUHAQEEaTBn > MGUGCCsGAQUFBzAChllodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2Nl > cnRzL01pY3Jvc29mdCUyMFVwZGF0ZSUyMFNlY3VyZSUyMFNlcnZlciUyMENBJTIw > Mi4xLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQBGJdsEVpCN > VD7PUYDopBFCAN/t8n4TZ4Y8lQvdT4qtWFKvucqNR2clZnXg3KB0D7V8/lr4kqGi > 8t089SuSnnEnIREQhrf3KMryJZiU/5dt9UejThYYrjoVtFOGXhQit7fG2lQyOp9a > riHf+OuXAv6UZXW2Ina6vUcxWk7GrupSDdWfROv1ZUUEj5wmbJGOfh/Oc7Nkzbnj > wLl62h9hix4fwP8XdKp2uWXAkPjgjAH3SK9wDSOm5L6hR9crbUikowoEC5XYX+gh > 8kTED8kaSbVoyGIDR+gTtm7F4S99W8ecI2GSeZkhawFC3lbtpE9P5LfrStSJL809 > yUWUCwo1xTz12Iwo8PXZk8XiId+f/KxxFMNjMDG/FZRUFfNMWU10ijqBlI4Nlovk > pV9Fhpfny75cScJNZLij5FFiLHZuYzfGhejDBmpXweBpV6VLe9RNoLHmgBVTjYBa > nzLa6r0M3ICnXCtX8h5JNcOPhvBFb43Z6+6CQP6jM2SqXSQUg3TwArBe0deaoYCI > fJpJJTKqo88FeURLpgfemPa3sXXUKqKWglYejkCYM6Kk8IPAa8w3JnsGWg5F5MJa > 8zp43RouY5+VBZLAF+B1HZGEwyEXUhzZshl9QAmMs9YrXooFqP9rnyAP8ehNQdmC > Tl1/2ofmuAUavN8AQfh1Jn8Nm+hPnADN+w== > -----END CERTIFICATE----- > subject=/C=US/ST=Washington/L=Redmond/O=Microsoft/OU=DSP/CN=fe2.update.microsoft.com > issuer=/C=US/ST=Washington/L=Redmond/O=Microsoft > Corporation/CN=Microsoft Update Secure Server CA 2.1 > --- > No client certificate CA names sent > --- > SSL handshake has read 3503 bytes and written 649 bytes > --- > New, TLSv1/SSLv3, Cipher is AES128-SHA256 > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1.2 > Cipher : AES128-SHA256 > Session-ID: > 7B4C0000F911C68C6B1C235D7E5DB1C001A481D27EF8B594EB7F60A73904A4A7 > Session-ID-ctx: > Master-Key: > 7BC9333DDD64858E393E2837FF645DB131A868322766771BDF4EBD3AE49A0AD422852AC787008F0A0CD60BC8EA5A0E75 > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1459021942 > Timeout : 300 (sec) > Verify return code: 20 (unable to get local issuer certificate) > --- > read:errno=131 > > The damned M$ uses intermediate CA which is absent in CA bundle by > default on fe2.update.microsoft.com. > > In additional with Akamai CN mismatch. > > Thanks all! > > 26.03.16 23:25, Alex Rousskov пишет: > > On 03/26/2016 04:53 AM, Yuri Voinov wrote: > >> http://i.imgur.com/kxrOEVd.png > >> > >> How to suppress this? It stops WU right now. > > > > Does the ssl::certDomainMismatch ACL work to bypass the > > SQUID_X509_V_ERR_DOMAIN_MISMATCH error? > > > If not, then just as a triage experiment (and not for production use!), > > does the following bypass the SQUID_X509_V_ERR_DOMAIN_MISMATCH error? > > > sslproxy_cert_error allow all > > > > Alex. > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJW9ut9AAoJENNXIZxhPexGSYYH/1bXvCHmGSxGcNi6/rCQyCkn gZf4Bi+ot5BEIxsCD6TpW/sZhfwbfYqY+6P+4ofrXPCxn71POW/F7B8X59qxxn74 KdkxXZ6MYXIFVPYEtU9xKhD1vCU+X/iLe/bFZAs+PNZ4XShw3309EHxPvmoQ8MCW NKT/hKGe/OxY09E0rolBKBU5VnpmcFu3EP7U3nZbrmSOvNvyK1ni+UKZgNNMUg2l XmYuraeoe93QyC+TsbZnNSC2oH/ANc+wR3EDTrjmdoidtl/qV1tH7+lr5BaxrLIu ka9t8/pAkz6UwcqZ2ZTYe4MKm9gjOzDvF1QjoTZtpho/Z/0v5A5Y8rekxNUjQJI= =9FC2 -----END PGP SIGNATURE----- |
Attachment:
0x613DEC46.asc
Description: application/pgp-keys
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
