On 1/03/2017 4:58 a.m., stylemessiah wrote: > This is driving me nuts, its the only issue ive found running ssl bump on my > home network for eons > > I cant see image thumbnails on xda-developers... > > When i access a thread with them, i get text links, not thumbnails, and if i > click on the links i get the following: > > > (71) Protocol error (TLS code: > X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) > > SSL Certficate error: certificate issuer (CA) not known: > /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA > > I figured out by googling how to (i hope) trace the problem certificate via > s_client: > > > OpenSSL> s_client -showcerts -verify 32 -connect dl.xda-developers.com:443 > verify depth is 32 > CONNECTED(0000012C) > depth=0 CN = *.xda-developers.com > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 CN = *.xda-developers.com > verify error:num=21:unable to verify the first certificate > verify return:1 That command you used does not send data through the proxy. So that confirms that the servers TLS is broken in a way unrelated to Squid. > --- > Certificate chain > 0 s:/CN=*.xda-developers.com > i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA ... > --- > Server certificate > subject=/CN=*.xda-developers.com > issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA > --- > No client certificate CA names sent > Peer signing digest: SHA512 > Server Temp Key: ECDH, P-256, 256 bits > --- > SSL handshake has read 2067 bytes and written 302 bytes > Verification error: unable to verify the first certificate > > Ive found the intermediate bundle from RapidSS, and added it to my existing > pem bundle...no change You need to locate the root CA and/or intermediate CA certificates used to sign the domain servers certificate. You then need to identify *why* they are not being trusted by your OS library. Be sure to determine whether the CA which is missing is actually trustworthy before adding it to your trusted set. More than a few of the CA which are around are not trusted because they have been hacked or caught signing forged certificates they should not have. > Added as a separate pem i.e. sslproxy_foreign_intermediate_certs > /cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem...no change > > My sslbump related config lines are: > > http_port 127.0.0.1:3128 ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=10MB cert=/cygdrive/e/Squid/etc/ssl/myCA.pem > capath=/cygdrive/e/Squid/etc/ssl > cafile=/cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem > tls-dh=/cygdrive/e/Squid/etc/ssl/dhparam.pem > options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE PS. EECDH will not work unless you configure a curve name in the tls-dh= option. Just having dhparam.pem alone will only enable the less secure DH ciphers. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
