Search squid archive

Re: SSL bump not working w/some sites.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



It seems simple no intermediate certificate in chain.

Root CA bundle(s) usually does not contain all intermediate CA's,
because of browsers can simple download it from server/site.

Squid can't do auto-downloading (autocomplete) certificate chains and
require to confiugure sslproxy_foreign_intermediate_certs option.


08.11.2016 1:32, Alex Rousskov пишет:
> On 11/07/2016 11:59 AM, L. A. Walsh wrote:
>> I have the SSL bump feature setup and so far have been happy with
>> it, but today, I got an error from a website, 
> You got an error from Squid, not a website.
>
>
>> saying they detect my
>> ability to monitor my webtraffic and refuse to allow it:
> Actually, the error says that Squid refuses to trust the web server.
>
>
>
>> The system returned:
>>
>>    (71) Protocol error (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)
>>
>>    Self-signed SSL Certificate in chain: /C=US/O=Entrust, Inc./OU=See
>> www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized
>> use only/CN=Entrust Root Certification Authority - G2
> ... because your Squid/OpenSSL setup does not trust the above root
> certificate at the end of the server certificate chain.
>
>
>> This proxy and the remote host failed to negotiate a mutually acceptable
>> security settings for handling your request. It is possible that the
>> remote host does not support secure connections, or the proxy is not
>> satisfied with the host security credentials.
> It is the latter -- "not satisfied with the host security credentials".
>
> If you believe that the missing root certificate is legitimate (i.e.,
> your Squid should trust it), then you may want to update your OpenSSL
> setup to include that root CA certificate.
>
>
> HTH,
>
> Alex.
>
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users

-- 
Cats - delicious. You just do not know how to cook them.

Attachment: 0x613DEC46.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux