Search squid archive

Re: sslproxyflags DONT_VERIFY_PEER

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

That would explain the error if the Verisign Class 3 public root CA were missing. However, our Smoothwall Express OS has all the standard root CAs package found in /usr/ssl/certs. Do I need to tell squid where to find those certs? If so, what config directive would I use for that?

Thanks!

On Wed, Aug 3, 2016 at 8:05 PM, Bruce Rosenberg <bruce.rosenberg.au@xxxxxxxxx> wrote:
It looks like you are missing the Verisign Class 3 Public Primary Root cert.
Notice the certificate chain list below.
Yahoo correctly send back all intermediate certificates in the TLS handshake so the only certificate you need to make sure squid trusts (via openssl) is the Verisign root.

You should be able to determine if the openssl client on the squid proxy can verify the complete chain by running the following command on the proxy.
The important part is that at each step it outputs "verify return: 1" meaning that the certificate at that depth in the chain was successfully verified by it's issuing certificate i.e. the certificate at the previous higher level depth that we have already established we trust.
The root certificate is automagically verified by virtue of being explicitly trusted by your openssl.


$ openssl s_client -connect www.yahoo.com:443 </dev/null                                                                                                                                   ⏎
CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4
verify return:1
depth=0 C = US, ST = California, L = Sunnyvale, O = Yahoo Inc., OU = Information Technology, CN = www.yahoo.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Sunnyvale/O=Yahoo Inc./OU=Information Technology/CN=www.yahoo.com
   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority


On Thu, Aug 4, 2016 at 9:51 AM, Stanford Prescott <stan.prescott@xxxxxxxxx> wrote:
Okay, it's not a name of the cert problem.

I turned on extra debug info to see what I get when I remove the DONT_VERIFY_PEER flag and tried accessing https://www.yahoo.com. This is what I got in the cache.log. I only see a couple of lines about a certificate error. Sorry this is long but I didn't know what to include so I just included everything for that one access attempt.
2016/08/03 18:12:16.701 kid1| 28,4| Eui48.cc(178) lookup: id=0xa2064b0 query ARP table
2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(222) lookup: id=0xa2064b0 query ARP on each interface (128 found)
2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0 found interface lo
2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0 found interface eth2
2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0 looking up ARP address for 10.40.40.110 on eth2
2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0 found interface eth1
2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0 looking up ARP address for 10.40.40.110 on eth1
2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(280) lookup: id=0xa2064b0 got address 08:00:27:29:24:4a on eth1
2016/08/03 18:12:16.702 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950dec
2016/08/03 18:12:16.702 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950dec
2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8 checking slow rules
2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rules)
2016/08/03 18:12:16.702 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0is not banned
2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)
2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking localhostgreen
2016/08/03 18:12:16.702 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff] (10.40.40.110:49732)  vs 10.40.40.1-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
2016/08/03 18:12:16.702 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '10.40.40.110:49732' NOT found
2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked: localhostgreen = 0
2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 0
2016/08/03 18:12:16.702 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/3is not banned
2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)
2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking tls_s1_connect
2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked: tls_s1_connect = 1
2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking all
2016/08/03 18:12:16.702 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.40.40.110:49732/[::] ([::]:49732)  vs [::]-[::]/[::]
2016/08/03 18:12:16.702 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '10.40.40.110:49732' found
2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked: all = 1
2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 1
2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rules) = 1
2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(63) markFinished: 0xa210ad8 answer ALLOWED for match
2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED
2016/08/03 18:12:16.702 kid1| 33,2| client_side.cc(3909) httpsSslBumpAccessCheckDone: sslBump needed for local=52.34.245.108:443 remote=10.40.40.110:49732 FD 14 flags=33 method 3
2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(70) preCheck: 0xa214d28 checking slow rules
2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking http_access
2016/08/03 18:12:16.702 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0is not banned
2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking http_access#1
2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking SWE_subnets
2016/08/03 18:12:16.702 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00] (10.40.40.0:49732)  vs 192.168.192.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
2016/08/03 18:12:16.703 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00] (10.40.40.0:49732)  vs 10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
2016/08/03 18:12:16.703 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00] (10.40.40.0:49732)  vs 10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
2016/08/03 18:12:16.703 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '10.40.40.110:49732' found
2016/08/03 18:12:16.703 kid1| 28,3| Acl.cc(158) matches: checked: SWE_subnets = 1
2016/08/03 18:12:16.703 kid1| 28,3| Acl.cc(158) matches: checked: http_access#1 = 1
2016/08/03 18:12:16.703 kid1| 28,3| Acl.cc(158) matches: checked: http_access = 1
2016/08/03 18:12:16.703 kid1| 28,3| Checklist.cc(63) markFinished: 0xa214d28 answer ALLOWED for match
2016/08/03 18:12:16.703 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xa214d28 answer=ALLOWED
2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fc08
2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf94fc08
2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fd3c
2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf94fd3c
2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa214d28
2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa214d28
2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8
2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa210ad8
2016/08/03 18:12:16.704 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8 checking slow rules
2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rules)
2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0 is  banned
2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/3is not banned
2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)
2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking tls_s1_connect
2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: tls_s1_connect = 0
2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 0
2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/6is not banned
2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)
2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking tls_s2_client_hello
2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: tls_s2_client_hello = 1
2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking tls_to_splice
2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking tls_allowed_hsts
2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking 'tiles.services.mozilla.com'
2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:tiles.services.mozilla.com <>  .akamaihd.net
2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match: 'tiles.services.mozilla.com' NOT found
2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking 'none'
2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:none <>  .akamaihd.net
2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match: 'none' NOT found
2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: tls_allowed_hsts = 0
2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking tls_server_is_bank
2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking 'tiles.services.mozilla.com'
2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:tiles.services.mozilla.com <>  .wellsfargo.com
2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match: 'tiles.services.mozilla.com' NOT found
2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking 'none'
2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:none <>  .wellsfargo.com
2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match: 'none' NOT found
2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: tls_server_is_bank = 0
2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: tls_to_splice = 0
2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 0
2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/4is not banned
2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)
2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking tls_s2_client_hello
2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: tls_s2_client_hello = 1
2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking all
2016/08/03 18:12:16.704 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.40.40.110:49732/[::] ([::]:49732)  vs [::]-[::]/[::]
2016/08/03 18:12:16.704 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '10.40.40.110:49732' found
2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: all = 1
2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 1
2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rules) = 1
2016/08/03 18:12:16.704 kid1| 28,3| Checklist.cc(63) markFinished: 0xa210ad8 answer ALLOWED for match
2016/08/03 18:12:16.704 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED
2016/08/03 18:12:16.704 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf95080c
2016/08/03 18:12:16.704 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf95080c
2016/08/03 18:12:16.704 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8
2016/08/03 18:12:16.704 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa210ad8
2016/08/03 18:12:16.869 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8 checking fast rules
2016/08/03 18:12:16.870 kid1| 28,5| Checklist.cc(346) fastCheck: aclCheckFast: list: 0x9de0a80
2016/08/03 18:12:16.870 kid1| 28,5| Acl.cc(138) matches: checking sslproxy_cert_error
2016/08/03 18:12:16.870 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'DENIED/0is not banned
2016/08/03 18:12:16.870 kid1| 28,5| Acl.cc(138) matches: checking sslproxy_cert_error#1
2016/08/03 18:12:16.870 kid1| 28,5| Acl.cc(138) matches: checking all
2016/08/03 18:12:16.870 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.40.40.110:49732/[::] ([::]:49732)  vs [::]-[::]/[::]
2016/08/03 18:12:16.870 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '10.40.40.110:49732' found
2016/08/03 18:12:16.870 kid1| 28,3| Acl.cc(158) matches: checked: all = 1
2016/08/03 18:12:16.870 kid1| 28,3| Acl.cc(158) matches: checked: sslproxy_cert_error#1 = 1
2016/08/03 18:12:16.870 kid1| 28,3| Acl.cc(158) matches: checked: sslproxy_cert_error = 1
2016/08/03 18:12:16.870 kid1| 28,3| Checklist.cc(63) markFinished: 0xa210ad8 answer DENIED for match
2016/08/03 18:12:16.870 kid1| Error negotiating SSL on FD 16: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
2016/08/03 18:12:16.871 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950b68 checking fast ACLs
2016/08/03 18:12:16.871 kid1| 28,5| Acl.cc(138) matches: checking cache_access_log stdio:/var/log/squid/access.log
2016/08/03 18:12:16.871 kid1| 28,5| Acl.cc(138) matches: checking (cache_access_log stdio:/var/log/squid/access.log line)
2016/08/03 18:12:16.871 kid1| 28,3| Acl.cc(158) matches: checked: (cache_access_log stdio:/var/log/squid/access.log line) = 1
2016/08/03 18:12:16.871 kid1| 28,3| Acl.cc(158) matches: checked: cache_access_log stdio:/var/log/squid/access.log = 1
2016/08/03 18:12:16.871 kid1| 28,3| Checklist.cc(63) markFinished: 0xbf950b68 answer ALLOWED for match
2016/08/03 18:12:16.871 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950b68
2016/08/03 18:12:16.871 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950b68
2016/08/03 18:12:16.998 kid1| 33,2| client_side.cc(816) swanSong: local=52.34.245.108:443 remote=10.40.40.110:49732 flags=33
2016/08/03 18:12:16.998 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950c28 checking fast ACLs
2016/08/03 18:12:16.998 kid1| 28,5| Acl.cc(138) matches: checking cache_access_log stdio:/var/log/squid/access.log
2016/08/03 18:12:16.998 kid1| 28,5| Acl.cc(138) matches: checking (cache_access_log stdio:/var/log/squid/access.log line)
2016/08/03 18:12:16.998 kid1| 28,3| Acl.cc(158) matches: checked: (cache_access_log stdio:/var/log/squid/access.log line) = 1
2016/08/03 18:12:16.998 kid1| 28,3| Acl.cc(158) matches: checked: cache_access_log stdio:/var/log/squid/access.log = 1
2016/08/03 18:12:16.998 kid1| 28,3| Checklist.cc(63) markFinished: 0xbf950c28 answer ALLOWED for match
2016/08/03 18:12:16.998 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950c28
2016/08/03 18:12:16.998 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950c28
2016/08/03 18:12:16.998 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8
2016/08/03 18:12:16.998 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa210ad8
2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(178) lookup: id=0xa2064b0 query ARP table
2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(222) lookup: id=0xa2064b0 query ARP on each interface (128 found)
2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0 found interface lo
2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0 found interface eth2
2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0 looking up ARP address for 10.40.40.110 on eth2
2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0 found interface eth1
2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0 looking up ARP address for 10.40.40.110 on eth1
2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(280) lookup: id=0xa2064b0 got address 08:00:27:29:24:4a on eth1
2016/08/03 18:12:21.032 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950dec
2016/08/03 18:12:21.032 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950dec
2016/08/03 18:12:21.054 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8 checking slow rules
2016/08/03 18:12:21.054 kid1| 28,5| Acl.cc(138) matches: checking http_access
2016/08/03 18:12:21.054 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0is not banned
2016/08/03 18:12:21.054 kid1| 28,5| Acl.cc(138) matches: checking http_access#1
2016/08/03 18:12:21.054 kid1| 28,5| Acl.cc(138) matches: checking SWE_subnets
2016/08/03 18:12:21.054 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.40.40.110:40595/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00] (10.40.40.0:40595)  vs 10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
2016/08/03 18:12:21.054 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '10.40.40.110:40595' found
2016/08/03 18:12:21.054 kid1| 28,3| Acl.cc(158) matches: checked: SWE_subnets = 1
2016/08/03 18:12:21.054 kid1| 28,3| Acl.cc(158) matches: checked: http_access#1 = 1
2016/08/03 18:12:21.054 kid1| 28,3| Acl.cc(158) matches: checked: http_access = 1
2016/08/03 18:12:21.054 kid1| 28,3| Checklist.cc(63) markFinished: 0xa210ad8 answer ALLOWED for match
2016/08/03 18:12:21.054 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED
2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950198
2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950198
2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf9502cc
2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf9502cc
2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94f87c
2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf94f87c
2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8
2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa210ad8
2016/08/03 18:12:21.101 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf9509dc
2016/08/03 18:12:21.102 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf9509dc
2016/08/03 18:12:21.150 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950ae8 checking fast ACLs
2016/08/03 18:12:21.150 kid1| 28,5| Acl.cc(138) matches: checking cache_access_log stdio:/var/log/squid/access.log
2016/08/03 18:12:21.150 kid1| 28,5| Acl.cc(138) matches: checking (cache_access_log stdio:/var/log/squid/access.log line)
2016/08/03 18:12:21.150 kid1| 28,3| Acl.cc(158) matches: checked: (cache_access_log stdio:/var/log/squid/access.log line) = 1
2016/08/03 18:12:21.150 kid1| 28,3| Acl.cc(158) matches: checked: cache_access_log stdio:/var/log/squid/access.log = 1
2016/08/03 18:12:21.150 kid1| 28,3| Checklist.cc(63) markFinished: 0xbf950ae8 answer ALLOWED for match
2016/08/03 18:12:21.150 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950ae8
2016/08/03 18:12:21.150 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950ae8
2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(178) lookup: id=0xa224638 query ARP table
2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(222) lookup: id=0xa224638 query ARP on each interface (128 found)
2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(228) lookup: id=0xa224638 found interface lo
2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(228) lookup: id=0xa224638 found interface eth2
2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(237) lookup: id=0xa224638 looking up ARP address for 10.40.40.110 on eth2
2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(228) lookup: id=0xa224638 found interface eth1
2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(237) lookup: id=0xa224638 looking up ARP address for 10.40.40.110 on eth1
2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(280) lookup: id=0xa224638 got address 08:00:27:29:24:4a on eth1
2016/08/03 18:12:21.171 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950dec
2016/08/03 18:12:21.171 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950dec
2016/08/03 18:12:21.171 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8 checking slow rules
2016/08/03 18:12:21.171 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rules)
2016/08/03 18:12:21.171 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0is not banned
2016/08/03 18:12:21.171 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)
2016/08/03 18:12:21.171 kid1| 28,5| Acl.cc(138) matches: checking localhostgreen
2016/08/03 18:12:21.171 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.40.40.110:35474/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff] (10.40.40.110:35474)  vs 10.40.40.1-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
2016/08/03 18:12:21.172 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '10.40.40.110:35474' NOT found
2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: localhostgreen = 0
2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 0
2016/08/03 18:12:21.172 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/3is not banned
2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)
2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking tls_s1_connect
2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: tls_s1_connect = 1
2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking all
2016/08/03 18:12:21.172 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.40.40.110:35474/[::] ([::]:35474)  vs [::]-[::]/[::]
2016/08/03 18:12:21.172 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '10.40.40.110:35474' found
2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: all = 1
2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 1
2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rules) = 1
2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(63) markFinished: 0xa210ad8 answer ALLOWED for match
2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED
2016/08/03 18:12:21.172 kid1| 33,2| client_side.cc(3909) httpsSslBumpAccessCheckDone: sslBump needed for local=98.138.253.109:443 remote=10.40.40.110:35474 FD 18 flags=33 method 3
2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(70) preCheck: 0xa214d28 checking slow rules
2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking http_access
2016/08/03 18:12:21.172 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0is not banned
2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking http_access#1
2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking SWE_subnets
2016/08/03 18:12:21.172 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.40.40.110:35474/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00] (10.40.40.0:35474)  vs 10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
2016/08/03 18:12:21.172 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '10.40.40.110:35474' found
2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: SWE_subnets = 1
2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: http_access#1 = 1
2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: http_access = 1
2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(63) markFinished: 0xa214d28 answer ALLOWED for match
2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xa214d28 answer=ALLOWED
2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fc08
2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf94fc08
2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fd3c
2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf94fd3c
2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa214d28
2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa214d28
2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8
2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa210ad8
2016/08/03 18:12:21.173 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8 checking slow rules
2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rules)
2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0 is  banned
2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/3is not banned
2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)
2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking tls_s1_connect
2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: tls_s1_connect = 0
2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 0
2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/6is not banned
2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)
2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking tls_s2_client_hello
2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: tls_s2_client_hello = 1
2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking tls_to_splice
2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking tls_allowed_hsts
2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking 'www.yahoo.com'
2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:www.yahoo.com <>  .akamaihd.net
2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match: 'www.yahoo.com' NOT found
2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking 'none'
2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:none <>  .akamaihd.net
2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match: 'none' NOT found
2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: tls_allowed_hsts = 0
2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking tls_server_is_bank
2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking 'www.yahoo.com'
2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:www.yahoo.com <>  .wellsfargo.com
2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match: 'www.yahoo.com' NOT found
2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking 'none'
2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:none <>  .wellsfargo.com
2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match: 'none' NOT found
2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: tls_server_is_bank = 0
2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: tls_to_splice = 0
2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 0
2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/4is not banned
2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)
2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking tls_s2_client_hello
2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: tls_s2_client_hello = 1
2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking all
2016/08/03 18:12:21.173 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.40.40.110:35474/[::] ([::]:35474)  vs [::]-[::]/[::]
2016/08/03 18:12:21.173 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '10.40.40.110:35474' found
2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: all = 1
2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 1
2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rules) = 1
2016/08/03 18:12:21.173 kid1| 28,3| Checklist.cc(63) markFinished: 0xa210ad8 answer ALLOWED for match
2016/08/03 18:12:21.173 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED
2016/08/03 18:12:21.173 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf95080c
2016/08/03 18:12:21.173 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf95080c
2016/08/03 18:12:21.173 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8
2016/08/03 18:12:21.173 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa210ad8
2016/08/03 18:12:21.278 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8 checking fast rules
2016/08/03 18:12:21.278 kid1| 28,5| Checklist.cc(346) fastCheck: aclCheckFast: list: 0x9de0a80
2016/08/03 18:12:21.278 kid1| 28,5| Acl.cc(138) matches: checking sslproxy_cert_error
2016/08/03 18:12:21.278 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'DENIED/0is not banned
2016/08/03 18:12:21.278 kid1| 28,5| Acl.cc(138) matches: checking sslproxy_cert_error#1
2016/08/03 18:12:21.278 kid1| 28,5| Acl.cc(138) matches: checking all
2016/08/03 18:12:21.278 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.40.40.110:35474/[::] ([::]:35474)  vs [::]-[::]/[::]
2016/08/03 18:12:21.278 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '10.40.40.110:35474' found
2016/08/03 18:12:21.278 kid1| 28,3| Acl.cc(158) matches: checked: all = 1
2016/08/03 18:12:21.278 kid1| 28,3| Acl.cc(158) matches: checked: sslproxy_cert_error#1 = 1
2016/08/03 18:12:21.278 kid1| 28,3| Acl.cc(158) matches: checked: sslproxy_cert_error = 1
2016/08/03 18:12:21.278 kid1| 28,3| Checklist.cc(63) markFinished: 0xa210ad8 answer DENIED for match
2016/08/03 18:12:21.278 kid1| Error negotiating SSL on FD 20: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
2016/08/03 18:12:21.279 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950b68 checking fast ACLs
2016/08/03 18:12:21.279 kid1| 28,5| Acl.cc(138) matches: checking cache_access_log stdio:/var/log/squid/access.log
2016/08/03 18:12:21.279 kid1| 28,5| Acl.cc(138) matches: checking (cache_access_log stdio:/var/log/squid/access.log line)
2016/08/03 18:12:21.279 kid1| 28,3| Acl.cc(158) matches: checked: (cache_access_log stdio:/var/log/squid/access.log line) = 1
2016/08/03 18:12:21.279 kid1| 28,3| Acl.cc(158) matches: checked: cache_access_log stdio:/var/log/squid/access.log = 1
2016/08/03 18:12:21.279 kid1| 28,3| Checklist.cc(63) markFinished: 0xbf950b68 answer ALLOWED for match
2016/08/03 18:12:21.279 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950b68
2016/08/03 18:12:21.279 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950b68
2016/08/03 18:12:21.331 kid1| 33,2| client_side.cc(816) swanSong: local=98.138.253.109:443 remote=10.40.40.110:35474 flags=33
2016/08/03 18:12:21.331 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950c28 checking fast ACLs
2016/08/03 18:12:21.331 kid1| 28,5| Acl.cc(138) matches: checking cache_access_log stdio:/var/log/squid/access.log
2016/08/03 18:12:21.331 kid1| 28,5| Acl.cc(138) matches: checking (cache_access_log stdio:/var/log/squid/access.log line)
2016/08/03 18:12:21.331 kid1| 28,3| Acl.cc(158) matches: checked: (cache_access_log stdio:/var/log/squid/access.log line) = 1
2016/08/03 18:12:21.331 kid1| 28,3| Acl.cc(158) matches: checked: cache_access_log stdio:/var/log/squid/access.log = 1
2016/08/03 18:12:21.331 kid1| 28,3| Checklist.cc(63) markFinished: 0xbf950c28 answer ALLOWED for match
2016/08/03 18:12:21.331 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950c28
2016/08/03 18:12:21.331 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950c28
2016/08/03 18:12:21.331 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8
2016/08/03 18:12:21.331 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa210ad8

The web browser error says:
"Failed to establish a secure connection to (a yahoo.com IP address was here)"
and another message of "(71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)"
and "Certificate issuer (CA) not known".

On Wed, Aug 3, 2016 at 4:12 PM, Stanford Prescott <stan.prescott@xxxxxxxxx> wrote:
Thanks for the info, Alex. That's very helpful about cleaning up my ACLs. Those ACLs are a collection of ACLs that others have suggested I use, but it would be nice to make them less confusing for me.

With my limited understanding of how sslbump works, the idea for squid to play MITM is that a self-signed cert like squidCA.der is imported to a browser's root CAs. I have left a copy of the self-signed cert named squidCA.pem in the squid's cert directory which only works if squid is told to not verify the peer. When following the instructions how to generate the self-signed cert with openssl, the .pem file must be converted to a .der file for the browser to accept it. It just dawned on me that, could this be related to the fact that the squid self-signed certs are not named the same?

On Wed, Aug 3, 2016 at 3:01 PM, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 08/03/2016 08:45 AM, Stanford Prescott wrote:

> ssl_bump none localhostgreen
> ssl_bump peek tls_s1_connect all
> ssl_bump splice tls_s2_client_hello tls_to_splice
> ssl_bump stare tls_s2_client_hello all
> ssl_bump bump tls_s3_server_hello all

AFAICT, the above is too complex. You can simplify it with:

  ssl_bump splice localhostgreen
  ssl_bump peek tls_s1_connect
  ssl_bump splice tls_to_splice
  ssl_bump stare all
  ssl_bump bump all

and, after polishing your ACLs a little, possibly even with:

  ssl_bump splice transactions_to_splice
  ssl_bump peek tls_s1_connect
  ssl_bump stare all
  ssl_bump bump all

where transactions_to_splice is "localhostgreen or (tls_s2_client_hello
and tls_to_splice)".


As for your original question, I recommend figuring out why Squid cannot
verify the peer. For example, your setup might be missing fresh
certificates for some well-known Root CAs. I do not know a good way to
figure out why peer verification does not work, but analyzing cache.log
with high-enough debugging level should be doable, especially if you can
reproduce the problem using a single transaction:

http://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction


HTH,

Alex.




_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users



_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux