Thanks Amos for the info, appreciate your tireless assistance for us numpties :) On 2 Mar. 2017 4:06 am, "Amos Jeffries [via Squid Web Proxy Cache]" < ml-node+s1019090n4681642h47@xxxxxxxxxxxxx> wrote: > On 1/03/2017 4:58 a.m., stylemessiah wrote: > > > This is driving me nuts, its the only issue ive found running ssl bump > on my > > home network for eons > > > > I cant see image thumbnails on xda-developers... > > > > When i access a thread with them, i get text links, not thumbnails, and > if i > > click on the links i get the following: > > > > > > (71) Protocol error (TLS code: > > X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) > > > > SSL Certficate error: certificate issuer (CA) not known: > > /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA > > > > I figured out by googling how to (i hope) trace the problem certificate > via > > s_client: > > > > > > OpenSSL> s_client -showcerts -verify 32 -connect > dl.xda-developers.com:443 > > verify depth is 32 > > CONNECTED(0000012C) > > depth=0 CN = *.xda-developers.com > > verify error:num=20:unable to get local issuer certificate > > verify return:1 > > depth=0 CN = *.xda-developers.com > > verify error:num=21:unable to verify the first certificate > > verify return:1 > > That command you used does not send data through the proxy. So that > confirms that the servers TLS is broken in a way unrelated to Squid. > > > > > --- > > Certificate chain > > 0 s:/CN=*.xda-developers.com > > i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA > ... > > > --- > > Server certificate > > subject=/CN=*.xda-developers.com > > issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA > > --- > > No client certificate CA names sent > > Peer signing digest: SHA512 > > Server Temp Key: ECDH, P-256, 256 bits > > --- > > SSL handshake has read 2067 bytes and written 302 bytes > > Verification error: unable to verify the first certificate > > > > > Ive found the intermediate bundle from RapidSS, and added it to my > existing > > pem bundle...no change > > You need to locate the root CA and/or intermediate CA certificates used > to sign the domain servers certificate. > > You then need to identify *why* they are not being trusted by your OS > library. > > Be sure to determine whether the CA which is missing is actually > trustworthy before adding it to your trusted set. More than a few of the > CA which are around are not trusted because they have been hacked or > caught signing forged certificates they should not have. > > > > Added as a separate pem i.e. sslproxy_foreign_intermediate_certs > > /cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem...no change > > > > My sslbump related config lines are: > > > > http_port 127.0.0.1:3128 ssl-bump generate-host-certificates=on > > dynamic_cert_mem_cache_size=10MB cert=/cygdrive/e/Squid/etc/ssl/myCA.pem > > > capath=/cygdrive/e/Squid/etc/ssl > > cafile=/cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem > > tls-dh=/cygdrive/e/Squid/etc/ssl/dhparam.pem > > options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE > > PS. EECDH will not work unless you configure a curve name in the > tls-dh= option. Just having dhparam.pem alone will only enable the less > secure DH ciphers. > > Amos > > _______________________________________________ > squid-users mailing list > [hidden email] <http:///user/SendEmail.jtp?type=node&node=4681642&i=0> > http://lists.squid-cache.org/listinfo/squid-users > > > ------------------------------ > If you reply to this email, your message will be added to the discussion > below: > http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL- > Bump-and-Certificate-issue-RapidSSL-Intermediate-Cert- > tp4681635p4681642.html > To unsubscribe from SSL Bump and Certificate issue - RapidSSL Intermediate > Cert, click here > <http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4681635&code=YWRyaWFuLm0ubWlsbGVyQGdtYWlsLmNvbXw0NjgxNjM1fDE5ODY3MjIyMDI=> > . > NAML > <http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> > -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-Bump-and-Certificate-issue-RapidSSL-Intermediate-Cert-tp4681635p4681643.html Sent from the Squid - Users mailing list archive at Nabble.com. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
