Search squid archive

Re: squid-users Digest, Vol 31, Issue 3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Disregard last message, it seemed to work...once - quite possible i had the proxy toggled off at the time...sheesh

Reverted my cipher chain back to the original and leaving the hell alone, will send the site admin an email instead of fiddling further

On 2 March 2017 at 14:04, <squid-users-request@xxxxxxxxxxxxxxxxxxxxx> wrote:
Send squid-users mailing list submissions to
        squid-users@lists.squid-cache.org

To subscribe or unsubscribe via the World Wide Web, visit
        http://lists.squid-cache.org/listinfo/squid-users
or, via email, send a message with subject or body 'help' to
        squid-users-request@lists.squid-cache.org

You can reach the person managing the list at
        squid-users-owner@lists.squid-cache.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of squid-users digest..."


Today's Topics:

   1. Re: SSL Bump and Certificate issue - RapidSSL     Intermediate
      Cert (stylemessiah)
   2. Re: Failed to shm_open (Amos Jeffries)
   3. Re: Failed to shm_open (Amos Jeffries)
   4. Re: SSL Bump and Certificate issue - RapidSSL     Intermediate
      Cert (stylemessiah)
   5. Re: SSL Bump and Certificate issue - RapidSSL     Intermediate
      Cert (stylemessiah)


----------------------------------------------------------------------

Message: 1
Date: Wed, 1 Mar 2017 09:03:47 -0800 (PST)
From: stylemessiah <adrian.m.miller@xxxxxxxxx>
To: squid-users@lists.squid-cache.org
Subject: Re: SSL Bump and Certificate issue - RapidSSL
        Intermediate Cert
Message-ID:
        <CAOLOQx36wSy24sDDS-Qm=BSAeGsS5oiT5kGK5kP7s=sMQEffpQ@mail.gmail.com>
Content-Type: text/plain; charset=us-ascii

Thanks Amos for the info, appreciate your tireless assistance for us
numpties :)

On 2 Mar. 2017 4:06 am, "Amos Jeffries [via Squid Web Proxy Cache]" <
ml-node+s1019090n4681642h47@n4.nabble.com> wrote:

> On 1/03/2017 4:58 a.m., stylemessiah wrote:
>
> > This is driving me nuts, its the only issue ive found running ssl bump
> on my
> > home network for eons
> >
> > I cant see image thumbnails on xda-developers...
> >
> > When i access a thread with them, i get text links, not thumbnails, and
> if i
> > click on the links i get the following:
> >
> >
> >     (71) Protocol error (TLS code:
> > X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
> >
> >     SSL Certficate error: certificate issuer (CA) not known:
> > /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
> >
> > I figured out by googling how to (i hope) trace the problem certificate
> via
> > s_client:
> >
> >
> > OpenSSL> s_client -showcerts -verify 32 -connect
> dl.xda-developers.com:443
> > verify depth is 32
> > CONNECTED(0000012C)
> > depth=0 CN = *.xda-developers.com
> > verify error:num=20:unable to get local issuer certificate
> > verify return:1
> > depth=0 CN = *.xda-developers.com
> > verify error:num=21:unable to verify the first certificate
> > verify return:1
>
> That command you used does not send data through the proxy. So that
> confirms that the servers TLS is broken in a way unrelated to Squid.
>
>
>
> > ---
> > Certificate chain
> >  0 s:/CN=*.xda-developers.com
> >    i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
> ...
>
> > ---
> > Server certificate
> > subject=/CN=*.xda-developers.com
> > issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
> > ---
> > No client certificate CA names sent
> > Peer signing digest: SHA512
> > Server Temp Key: ECDH, P-256, 256 bits
> > ---
> > SSL handshake has read 2067 bytes and written 302 bytes
> > Verification error: unable to verify the first certificate
>
> >
> > Ive found the intermediate bundle from RapidSS, and added it to my
> existing
> > pem bundle...no change
>
> You need to locate the root CA and/or intermediate CA certificates used
> to sign the domain servers certificate.
>
> You then need to identify *why* they are not being trusted by your OS
> library.
>
> Be sure to determine whether the CA which is missing is actually
> trustworthy before adding it to your trusted set. More than a few of the
> CA which are around are not trusted because they have been hacked or
> caught signing forged certificates they should not have.
>
>
> > Added as a separate pem i.e. sslproxy_foreign_intermediate_certs
> > /cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem...no change
> >
> > My sslbump related config lines are:
> >
> > http_port 127.0.0.1:3128 ssl-bump generate-host-certificates=on
> > dynamic_cert_mem_cache_size=10MB cert=/cygdrive/e/Squid/etc/ssl/myCA.pem
>
> > capath=/cygdrive/e/Squid/etc/ssl
> > cafile=/cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem
> > tls-dh=/cygdrive/e/Squid/etc/ssl/dhparam.pem
> > options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE
>
> PS.  EECDH will not work unless you configure a curve name in the
> tls-dh= option. Just having dhparam.pem alone will only enable the less
> secure DH ciphers.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> [hidden email] <http:///user/SendEmail.jtp?type=node&node=4681642&i=0>
> http://lists.squid-cache.org/listinfo/squid-users
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-
> Bump-and-Certificate-issue-RapidSSL-Intermediate-Cert-
> tp4681635p4681642.html
> To unsubscribe from SSL Bump and Certificate issue - RapidSSL Intermediate
> Cert, click here
> <http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4681635&code=YWRyaWFuLm0ubWlsbGVyQGdtYWlsLmNvbXw0NjgxNjM1fDE5ODY3MjIyMDI=>
> .
> NAML
> <http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>




--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-Bump-and-Certificate-issue-RapidSSL-Intermediate-Cert-tp4681635p4681643.html
Sent from the Squid - Users mailing list archive at Nabble.com.


------------------------------

Message: 2
Date: Thu, 2 Mar 2017 06:19:27 +1300
From: Amos Jeffries <squid3@xxxxxxxxxxxxx>
To: squid-users@lists.squid-cache.org
Subject: Re: Failed to shm_open
Message-ID: <97f1176a-f88d-9fbf-28dc-a8c2341dc612@xxxxxxxxxxxxx>
Content-Type: text/plain; charset=utf-8

On 2/03/2017 4:06 a.m., erdosain9 wrote:
> Hi.
> Now squid stop... abnormaly.
>
> 2017/03/01 12:04:31 kid1| helperOpenServers: Starting 5/32 'ssl_crtd'
> processes
> FATAL: Ipc::Mem::Segment::open failed to
> shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory
>
> Squid Cache (Version 3.5.20): Terminated abnormally.
> CPU Usage: 0.095 seconds = 0.074 user + 0.021 sys
> Maximum Resident Size: 134144 KB
> Page faults with physical i/o: 0
> 2017/03/01 12:04:31| Set Current Directory to /var/spool/squid
>
> What is happend??
>

One of three things, in order of likelihood:

a) your OS does not have /dev/shm running.

b) your Squid was not started with appropriate privileges to access
/dev/shm and create the shared-memory area. ie root.

c) a previous Squid process that was supposed to create that
shared-memory area is not running.


Amos



------------------------------

Message: 3
Date: Thu, 2 Mar 2017 06:24:35 +1300
From: Amos Jeffries <squid3@xxxxxxxxxxxxx>
To: squid-users@lists.squid-cache.org
Subject: Re: Failed to shm_open
Message-ID: <3245dc48-4a84-ffe4-5952-ee09921efd8f@xxxxxxxxxxxxx>
Content-Type: text/plain; charset=utf-8

On 2/03/2017 4:21 a.m., erdosain9 wrote:
> no shared cipher

Exactly what it says. There are no ciphers which both the client  and
the server are allowing to be used.

One example of this is a client that only speaks SSLv2 and a server that
speaks only TLS/1.3.

You will have to dig a bit deeper to figure out what ciphers are needed.
Unfortunately Squid does not have much useful debug information in this
area yet.

Amos



------------------------------

Message: 4
Date: Wed, 1 Mar 2017 17:57:30 -0800 (PST)
From: stylemessiah <adrian.m.miller@xxxxxxxxx>
To: squid-users@lists.squid-cache.org
Subject: Re: SSL Bump and Certificate issue - RapidSSL
        Intermediate Cert
Message-ID:
        <CAOLOQx3n5MSOZHTiKSZJ8BfA=Q=LNd7KCVsncgLz2QZt0XaEOQ@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

>That command you used does not send data through the proxy. So that
>confirms that the servers TLS is broken in a way unrelated to Squid.

As that may be, when i go direct (sans proxy) i get thumbnails...no issues
Toggle the proxy back on and no thumbnails, and opening an image link gives
the
error initially reported.

(71) Protocol error (TLS code:
 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

SSL Certficate error: certificate issuer (CA) not known:
/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA

So both Ie and FF will just load anything from dl.xda-developers.com and not
register an issue, but squid will refuse to load the content and generate
the error

>You need to locate the root CA and/or intermediate CA certificates used
>to sign the domain servers certificate.

>You then need to identify *why* they are not being trusted by your OS
>library.

>Be sure to determine whether the CA which is missing is actually
>trustworthy before adding it to your trusted set. More than a few of the
>CA which are around are not trusted because they have been hacked or
>caught signing forged certificates they should not have.

I aalways learn something when youre silly enough to reply :)

When i ran dl.xda-developers.com through ssllabs (thanks google), it gave
me a less than glowing report, including
an incomplete cert chain (i say that like i understand it :) ) or as it put
it:

This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224)
<https://community.qualys.com/blogs/securitylabs/2014/06/13/ssl-pulse-49-vulnerable-to-cve-2014-0224-14-exploitable>
and exploitable. Grade set to F.
This server is vulnerable to the OpenSSL Padding Oracle vulnerability
(CVE-2016-2107)
<https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/>
and insecure. Grade set to F.
This server accepts RC4 cipher, but only with older browsers. Grade capped
to B.  MORE INFO »
<https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what>
This server's certificate chain is incomplete. Grade capped to B.

Full report here for the curious:
https://globalsign.ssllabs.com/analyze.html?d=dl.xda-developers.com&hideResults=on

For a few thumbnails im not going to torture myself, maybe ill send the
forum admin a note instead :)

>PS.  EECDH will not work unless you configure a curve name in the
>tls-dh= option. Just having dhparam.pem alone will only enable the less
>secure DH ciphers.

I did add a curve to the tls-dh param, im guessing tis correct, little info
on which one to use (grabbing the list from my local openssl had me going
what the hell)

tls-dh=prime256v1:/cygdrive/e/Squid/etc/ssl/dhparam.pem

Note: this made no difference whatsoever with my issue

Cheers,

Adrian Miller



On 2 March 2017 at 04:08, Adrian Miller <adrian.m.miller@xxxxxxxxx> wrote:

> Thanks Amos for the info, appreciate your tireless assistance for us
> numpties :)
>
> On 2 Mar. 2017 4:06 am, "Amos Jeffries [via Squid Web Proxy Cache]" <
> ml-node+s1019090n4681642h47@n4.nabble.com> wrote:
>
>> On 1/03/2017 4:58 a.m., stylemessiah wrote:
>>
>> > This is driving me nuts, its the only issue ive found running ssl bump
>> on my
>> > home network for eons
>> >
>> > I cant see image thumbnails on xda-developers...
>> >
>> > When i access a thread with them, i get text links, not thumbnails, and
>> if i
>> > click on the links i get the following:
>> >
>> >
>> >     (71) Protocol error (TLS code:
>> > X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>> >
>> >     SSL Certficate error: certificate issuer (CA) not known:
>> > /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
>> >
>> > I figured out by googling how to (i hope) trace the problem certificate
>> via
>> > s_client:
>> >
>> >
>> > OpenSSL> s_client -showcerts -verify 32 -connect
>> dl.xda-developers.com:443
>> > verify depth is 32
>> > CONNECTED(0000012C)
>> > depth=0 CN = *.xda-developers.com
>> > verify error:num=20:unable to get local issuer certificate
>> > verify return:1
>> > depth=0 CN = *.xda-developers.com
>> > verify error:num=21:unable to verify the first certificate
>> > verify return:1
>>
>> That command you used does not send data through the proxy. So that
>> confirms that the servers TLS is broken in a way unrelated to Squid.
>>
>>
>>
>> > ---
>> > Certificate chain
>> >  0 s:/CN=*.xda-developers.com
>> >    i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
>> ...
>>
>> > ---
>> > Server certificate
>> > subject=/CN=*.xda-developers.com
>> > issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
>> > ---
>> > No client certificate CA names sent
>> > Peer signing digest: SHA512
>> > Server Temp Key: ECDH, P-256, 256 bits
>> > ---
>> > SSL handshake has read 2067 bytes and written 302 bytes
>> > Verification error: unable to verify the first certificate
>>
>> >
>> > Ive found the intermediate bundle from RapidSS, and added it to my
>> existing
>> > pem bundle...no change
>>
>> You need to locate the root CA and/or intermediate CA certificates used
>> to sign the domain servers certificate.
>>
>> You then need to identify *why* they are not being trusted by your OS
>> library.
>>
>> Be sure to determine whether the CA which is missing is actually
>> trustworthy before adding it to your trusted set. More than a few of the
>> CA which are around are not trusted because they have been hacked or
>> caught signing forged certificates they should not have.
>>
>>
>> > Added as a separate pem i.e. sslproxy_foreign_intermediate_certs
>> > /cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem...no change
>> >
>> > My sslbump related config lines are:
>> >
>> > http_port 127.0.0.1:3128 ssl-bump generate-host-certificates=on
>> > dynamic_cert_mem_cache_size=10MB cert=/cygdrive/e/Squid/etc/ssl/myCA.pem
>>
>> > capath=/cygdrive/e/Squid/etc/ssl
>> > cafile=/cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem
>> > tls-dh=/cygdrive/e/Squid/etc/ssl/dhparam.pem
>> > options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE
>>
>> PS.  EECDH will not work unless you configure a curve name in the
>> tls-dh= option. Just having dhparam.pem alone will only enable the less
>> secure DH ciphers.
>>
>> Amos
>>
>> _______________________________________________
>> squid-users mailing list
>> [hidden email] <http:///user/SendEmail.jtp?type=node&node=4681642&i=0>
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>
>> ------------------------------
>> If you reply to this email, your message will be added to the discussion
>> below:
>> http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-Bump-
>> and-Certificate-issue-RapidSSL-Intermediate-Cert-tp4681635p4681642.html
>> To unsubscribe from SSL Bump and Certificate issue - RapidSSL
>> Intermediate Cert, click here
>> <http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4681635&code=YWRyaWFuLm0ubWlsbGVyQGdtYWlsLmNvbXw0NjgxNjM1fDE5ODY3MjIyMDI=>
>> .
>> NAML
>> <http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>>
>


--
I hate to advocate *drugs*, *alcohol*,* violence *or
*insanity* to anyone, *but* they've *always* worked for* me*

- Hunter S. Thompson




--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-Bump-and-Certificate-issue-RapidSSL-Intermediate-Cert-tp4681635p4681646.html
Sent from the Squid - Users mailing list archive at Nabble.com.


------------------------------

Message: 5
Date: Wed, 1 Mar 2017 18:59:08 -0800 (PST)
From: stylemessiah <adrian.m.miller@xxxxxxxxx>
To: squid-users@lists.squid-cache.org
Subject: Re: SSL Bump and Certificate issue - RapidSSL
        Intermediate Cert
Message-ID:
        <CAOLOQx1-wRQ4RZcTjg6CqAT-mYyaBu-nCaPNkYFg4tW66E=F+w@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

Decided to fiddle with it one last time....

If i change my cipher entries from

EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

to

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

I get content from dl.xda-developers.com just fine

But i wont pretend i understand the cipher chain, or whether the change is
a good thing


On 2 March 2017 at 13:01, Adrian Miller <adrian.m.miller@xxxxxxxxx> wrote:

> >That command you used does not send data through the proxy. So that
> >confirms that the servers TLS is broken in a way unrelated to Squid.
>
> As that may be, when i go direct (sans proxy) i get thumbnails...no issues
> Toggle the proxy back on and no thumbnails, and opening an image link
> gives the
> error initially reported.
>
> (71) Protocol error (TLS code:
>  X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>
> SSL Certficate error: certificate issuer (CA) not known:
> /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
>
> So both Ie and FF will just load anything from dl.xda-developers.com and
> not
> register an issue, but squid will refuse to load the content and generate
> the error
>
> >You need to locate the root CA and/or intermediate CA certificates used
> >to sign the domain servers certificate.
>
> >You then need to identify *why* they are not being trusted by your OS
> >library.
>
> >Be sure to determine whether the CA which is missing is actually
> >trustworthy before adding it to your trusted set. More than a few of the
> >CA which are around are not trusted because they have been hacked or
> >caught signing forged certificates they should not have.
>
> I aalways learn something when youre silly enough to reply :)
>
> When i ran dl.xda-developers.com through ssllabs (thanks google), it gave
> me a less than glowing report, including
> an incomplete cert chain (i say that like i understand it :) ) or as it
> put it:
>
> This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224)
> <https://community.qualys.com/blogs/securitylabs/2014/06/13/ssl-pulse-49-vulnerable-to-cve-2014-0224-14-exploitable>
> and exploitable. Grade set to F.
> This server is vulnerable to the OpenSSL Padding Oracle vulnerability
> (CVE-2016-2107)
> <https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/>
> and insecure. Grade set to F.
> This server accepts RC4 cipher, but only with older browsers. Grade capped
> to B.  MORE INFO »
> <https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what>
> This server's certificate chain is incomplete. Grade capped to B.
>
> Full report here for the curious: https://globalsign.ssllabs.
> com/analyze.html?d=dl.xda-developers.com&hideResults=on
>
> For a few thumbnails im not going to torture myself, maybe ill send the
> forum admin a note instead :)
>
> >PS.  EECDH will not work unless you configure a curve name in the
> >tls-dh= option. Just having dhparam.pem alone will only enable the less
> >secure DH ciphers.
>
> I did add a curve to the tls-dh param, im guessing tis correct, little
> info on which one to use (grabbing the list from my local openssl had me
> going what the hell)
>
> tls-dh=prime256v1:/cygdrive/e/Squid/etc/ssl/dhparam.pem
>
> Note: this made no difference whatsoever with my issue
>
> Cheers,
>
> Adrian Miller
>
>
>
> On 2 March 2017 at 04:08, Adrian Miller <adrian.m.miller@xxxxxxxxx> wrote:
>
>> Thanks Amos for the info, appreciate your tireless assistance for us
>> numpties :)
>>
>> On 2 Mar. 2017 4:06 am, "Amos Jeffries [via Squid Web Proxy Cache]" <
>> ml-node+s1019090n4681642h47@n4.nabble.com> wrote:
>>
>>> On 1/03/2017 4:58 a.m., stylemessiah wrote:
>>>
>>> > This is driving me nuts, its the only issue ive found running ssl bump
>>> on my
>>> > home network for eons
>>> >
>>> > I cant see image thumbnails on xda-developers...
>>> >
>>> > When i access a thread with them, i get text links, not thumbnails,
>>> and if i
>>> > click on the links i get the following:
>>> >
>>> >
>>> >     (71) Protocol error (TLS code:
>>> > X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>>> >
>>> >     SSL Certficate error: certificate issuer (CA) not known:
>>> > /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
>>> >
>>> > I figured out by googling how to (i hope) trace the problem
>>> certificate via
>>> > s_client:
>>> >
>>> >
>>> > OpenSSL> s_client -showcerts -verify 32 -connect
>>> dl.xda-developers.com:443
>>> > verify depth is 32
>>> > CONNECTED(0000012C)
>>> > depth=0 CN = *.xda-developers.com
>>> > verify error:num=20:unable to get local issuer certificate
>>> > verify return:1
>>> > depth=0 CN = *.xda-developers.com
>>> > verify error:num=21:unable to verify the first certificate
>>> > verify return:1
>>>
>>> That command you used does not send data through the proxy. So that
>>> confirms that the servers TLS is broken in a way unrelated to Squid.
>>>
>>>
>>>
>>> > ---
>>> > Certificate chain
>>> >  0 s:/CN=*.xda-developers.com
>>> >    i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
>>> ...
>>>
>>> > ---
>>> > Server certificate
>>> > subject=/CN=*.xda-developers.com
>>> > issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
>>> > ---
>>> > No client certificate CA names sent
>>> > Peer signing digest: SHA512
>>> > Server Temp Key: ECDH, P-256, 256 bits
>>> > ---
>>> > SSL handshake has read 2067 bytes and written 302 bytes
>>> > Verification error: unable to verify the first certificate
>>>
>>> >
>>> > Ive found the intermediate bundle from RapidSS, and added it to my
>>> existing
>>> > pem bundle...no change
>>>
>>> You need to locate the root CA and/or intermediate CA certificates used
>>> to sign the domain servers certificate.
>>>
>>> You then need to identify *why* they are not being trusted by your OS
>>> library.
>>>
>>> Be sure to determine whether the CA which is missing is actually
>>> trustworthy before adding it to your trusted set. More than a few of the
>>> CA which are around are not trusted because they have been hacked or
>>> caught signing forged certificates they should not have.
>>>
>>>
>>> > Added as a separate pem i.e. sslproxy_foreign_intermediate_certs
>>> > /cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem...no change
>>> >
>>> > My sslbump related config lines are:
>>> >
>>> > http_port 127.0.0.1:3128 ssl-bump generate-host-certificates=on
>>> > dynamic_cert_mem_cache_size=10MB cert=/cygdrive/e/Squid/etc/ssl/myCA.pem
>>>
>>> > capath=/cygdrive/e/Squid/etc/ssl
>>> > cafile=/cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem
>>> > tls-dh=/cygdrive/e/Squid/etc/ssl/dhparam.pem
>>> > options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE
>>>
>>> PS.  EECDH will not work unless you configure a curve name in the
>>> tls-dh= option. Just having dhparam.pem alone will only enable the less
>>> secure DH ciphers.
>>>
>>> Amos
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> [hidden email] <http:///user/SendEmail.jtp?type=node&node=4681642&i=0>
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>>
>>> ------------------------------
>>> If you reply to this email, your message will be added to the discussion
>>> below:
>>> http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-Bump-
>>> and-Certificate-issue-RapidSSL-Intermediate-Cert-tp4681635p4681642.html
>>> To unsubscribe from SSL Bump and Certificate issue - RapidSSL
>>> Intermediate Cert, click here
>>> <http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4681635&code=YWRyaWFuLm0ubWlsbGVyQGdtYWlsLmNvbXw0NjgxNjM1fDE5ODY3MjIyMDI=>
>>> .
>>> NAML
>>> <http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>>>
>>
>
>
> --
> I hate to advocate *drugs*, *alcohol*,* violence *or
> *insanity* to anyone, *but* they've *always* worked for* me*
>
> - Hunter S. Thompson
>



--
I hate to advocate *drugs*, *alcohol*,* violence *or
*insanity* to anyone, *but* they've *always* worked for* me*

- Hunter S. Thompson




--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-Bump-and-Certificate-issue-RapidSSL-Intermediate-Cert-tp4681635p4681647.html
Sent from the Squid - Users mailing list archive at Nabble.com.


------------------------------

Subject: Digest Footer

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


------------------------------

End of squid-users Digest, Vol 31, Issue 3
******************************************



--
I hate to advocate drugs, alcohol, violence or
insanity to anyone, but they've always worked for me

- Hunter S. Thompson
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux