It seems simple no intermediate certificate in chain. Root CA bundle(s) usually does not contain all intermediate CA's, because of browsers can simple download it from server/site. Squid can't do auto-downloading (autocomplete) certificate chains and require to confiugure sslproxy_foreign_intermediate_certs option. 08.11.2016 1:32, Alex Rousskov пишет: > On 11/07/2016 11:59 AM, L. A. Walsh wrote: >> I have the SSL bump feature setup and so far have been happy with >> it, but today, I got an error from a website, > You got an error from Squid, not a website. > > >> saying they detect my >> ability to monitor my webtraffic and refuse to allow it: > Actually, the error says that Squid refuses to trust the web server. > > > >> The system returned: >> >> (71) Protocol error (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) >> >> Self-signed SSL Certificate in chain: /C=US/O=Entrust, Inc./OU=See >> www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized >> use only/CN=Entrust Root Certification Authority - G2 > ... because your Squid/OpenSSL setup does not trust the above root > certificate at the end of the server certificate chain. > > >> This proxy and the remote host failed to negotiate a mutually acceptable >> security settings for handling your request. It is possible that the >> remote host does not support secure connections, or the proxy is not >> satisfied with the host security credentials. > It is the latter -- "not satisfied with the host security credentials". > > If you believe that the missing root certificate is legitimate (i.e., > your Squid should trust it), then you may want to update your OpenSSL > setup to include that root CA certificate. > > > HTH, > > Alex. > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -- Cats - delicious. You just do not know how to cook them.
Attachment:
0x613DEC46.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
