>That command you used does not send data through the proxy. So that >confirms that the servers TLS is broken in a way unrelated to Squid. As that may be, when i go direct (sans proxy) i get thumbnails...no issues Toggle the proxy back on and no thumbnails, and opening an image link gives the error initially reported. (71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) SSL Certficate error: certificate issuer (CA) not known: /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA So both Ie and FF will just load anything from dl.xda-developers.com and not register an issue, but squid will refuse to load the content and generate the error >You need to locate the root CA and/or intermediate CA certificates used >to sign the domain servers certificate. >You then need to identify *why* they are not being trusted by your OS >library. >Be sure to determine whether the CA which is missing is actually >trustworthy before adding it to your trusted set. More than a few of the >CA which are around are not trusted because they have been hacked or >caught signing forged certificates they should not have. I aalways learn something when youre silly enough to reply :) When i ran dl.xda-developers.com through ssllabs (thanks google), it gave me a less than glowing report, including an incomplete cert chain (i say that like i understand it :) ) or as it put it: This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) <https://community.qualys.com/blogs/securitylabs/2014/06/13/ssl-pulse-49-vulnerable-to-cve-2014-0224-14-exploitable> and exploitable. Grade set to F. This server is vulnerable to the OpenSSL Padding Oracle vulnerability (CVE-2016-2107) <https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/> and insecure. Grade set to F. This server accepts RC4 cipher, but only with older browsers. Grade capped to B. MORE INFO » <https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what> This server's certificate chain is incomplete. Grade capped to B. Full report here for the curious: https://globalsign.ssllabs.com/analyze.html?d=dl.xda-developers.com&hideResults=on For a few thumbnails im not going to torture myself, maybe ill send the forum admin a note instead :) >PS. EECDH will not work unless you configure a curve name in the >tls-dh= option. Just having dhparam.pem alone will only enable the less >secure DH ciphers. I did add a curve to the tls-dh param, im guessing tis correct, little info on which one to use (grabbing the list from my local openssl had me going what the hell) tls-dh=prime256v1:/cygdrive/e/Squid/etc/ssl/dhparam.pem Note: this made no difference whatsoever with my issue Cheers, Adrian Miller On 2 March 2017 at 04:08, Adrian Miller <adrian.m.miller@xxxxxxxxx> wrote: > Thanks Amos for the info, appreciate your tireless assistance for us > numpties :) > > On 2 Mar. 2017 4:06 am, "Amos Jeffries [via Squid Web Proxy Cache]" < > ml-node+s1019090n4681642h47@xxxxxxxxxxxxx> wrote: > >> On 1/03/2017 4:58 a.m., stylemessiah wrote: >> >> > This is driving me nuts, its the only issue ive found running ssl bump >> on my >> > home network for eons >> > >> > I cant see image thumbnails on xda-developers... >> > >> > When i access a thread with them, i get text links, not thumbnails, and >> if i >> > click on the links i get the following: >> > >> > >> > (71) Protocol error (TLS code: >> > X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) >> > >> > SSL Certficate error: certificate issuer (CA) not known: >> > /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA >> > >> > I figured out by googling how to (i hope) trace the problem certificate >> via >> > s_client: >> > >> > >> > OpenSSL> s_client -showcerts -verify 32 -connect >> dl.xda-developers.com:443 >> > verify depth is 32 >> > CONNECTED(0000012C) >> > depth=0 CN = *.xda-developers.com >> > verify error:num=20:unable to get local issuer certificate >> > verify return:1 >> > depth=0 CN = *.xda-developers.com >> > verify error:num=21:unable to verify the first certificate >> > verify return:1 >> >> That command you used does not send data through the proxy. So that >> confirms that the servers TLS is broken in a way unrelated to Squid. >> >> >> >> > --- >> > Certificate chain >> > 0 s:/CN=*.xda-developers.com >> > i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA >> ... >> >> > --- >> > Server certificate >> > subject=/CN=*.xda-developers.com >> > issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA >> > --- >> > No client certificate CA names sent >> > Peer signing digest: SHA512 >> > Server Temp Key: ECDH, P-256, 256 bits >> > --- >> > SSL handshake has read 2067 bytes and written 302 bytes >> > Verification error: unable to verify the first certificate >> >> > >> > Ive found the intermediate bundle from RapidSS, and added it to my >> existing >> > pem bundle...no change >> >> You need to locate the root CA and/or intermediate CA certificates used >> to sign the domain servers certificate. >> >> You then need to identify *why* they are not being trusted by your OS >> library. >> >> Be sure to determine whether the CA which is missing is actually >> trustworthy before adding it to your trusted set. More than a few of the >> CA which are around are not trusted because they have been hacked or >> caught signing forged certificates they should not have. >> >> >> > Added as a separate pem i.e. sslproxy_foreign_intermediate_certs >> > /cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem...no change >> > >> > My sslbump related config lines are: >> > >> > http_port 127.0.0.1:3128 ssl-bump generate-host-certificates=on >> > dynamic_cert_mem_cache_size=10MB cert=/cygdrive/e/Squid/etc/ssl/myCA.pem >> >> > capath=/cygdrive/e/Squid/etc/ssl >> > cafile=/cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem >> > tls-dh=/cygdrive/e/Squid/etc/ssl/dhparam.pem >> > options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE >> >> PS. EECDH will not work unless you configure a curve name in the >> tls-dh= option. Just having dhparam.pem alone will only enable the less >> secure DH ciphers. >> >> Amos >> >> _______________________________________________ >> squid-users mailing list >> [hidden email] <http:///user/SendEmail.jtp?type=node&node=4681642&i=0> >> http://lists.squid-cache.org/listinfo/squid-users >> >> >> ------------------------------ >> If you reply to this email, your message will be added to the discussion >> below: >> http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-Bump- >> and-Certificate-issue-RapidSSL-Intermediate-Cert-tp4681635p4681642.html >> To unsubscribe from SSL Bump and Certificate issue - RapidSSL >> Intermediate Cert, click here >> <http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4681635&code=YWRyaWFuLm0ubWlsbGVyQGdtYWlsLmNvbXw0NjgxNjM1fDE5ODY3MjIyMDI=> >> . >> NAML >> <http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> >> > -- I hate to advocate *drugs*, *alcohol*,* violence *or *insanity* to anyone, *but* they've *always* worked for* me* - Hunter S. Thompson -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-Bump-and-Certificate-issue-RapidSSL-Intermediate-Cert-tp4681635p4681646.html Sent from the Squid - Users mailing list archive at Nabble.com. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
