On 11/07/2016 11:59 AM, L. A. Walsh wrote: > I have the SSL bump feature setup and so far have been happy with > it, but today, I got an error from a website, You got an error from Squid, not a website. > saying they detect my > ability to monitor my webtraffic and refuse to allow it: Actually, the error says that Squid refuses to trust the web server. > The system returned: > > (71) Protocol error (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) > > Self-signed SSL Certificate in chain: /C=US/O=Entrust, Inc./OU=See > www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized > use only/CN=Entrust Root Certification Authority - G2 ... because your Squid/OpenSSL setup does not trust the above root certificate at the end of the server certificate chain. > This proxy and the remote host failed to negotiate a mutually acceptable > security settings for handling your request. It is possible that the > remote host does not support secure connections, or the proxy is not > satisfied with the host security credentials. It is the latter -- "not satisfied with the host security credentials". If you believe that the missing root certificate is legitimate (i.e., your Squid should trust it), then you may want to update your OpenSSL setup to include that root CA certificate. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users