Search squid archive

Squid blocking own OCSP/AIA requests

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all

I have configured Squid 4.0.18 (CentOS) with sslbump and clamav as
ecap_service. This works well.

One thing I've noticed though, are constant log entries like this in
access.log:

2017-03-21 10:35:08.338 +0100 000137 - TCP_DENIED/403 3607 GET
http://apps.identrust.com/roots/dstrootcax3.p7c - HIER_NONE/-
text/html;charset=utf-8 -
2017-03-21 10:35:08.345 +0100 000161 10.254.254.2 NONE/200 0 CONNECT
letsencrypt.org:443 - HIER_DIRECT/letsencrypt.org - -

It appears that this is the OCSP URI for Letsencrypt certificates.

And in fact every time this is logged, a CONNECT to a https uri is
logged that is using a Letsencrypt certificate (like eg.
https://letsencrypt.org).

Given that there is no client IP logged, I assume that squid is blocking
its own outgoing OCSP request here (the browser is configured to NOT use
OCSP).

The same seems to happen when there's no OCSP URI, but a regular AIA URI
in the certificate:

2017-03-21 10:36:19.773 +0100 000000 - TCP_DENIED/403 3734 GET
http://swisssign.net/cgi-bin/authority/download/5B257B96A465517EB839F3C078665EE83AE7F0EE
- HIER_NONE/- text/html;charset=utf-8 -
2017-03-21 10:36:19.782 +0100 000038 10.254.254.2 NONE/200 0 CONNECT
swisssign.net:443 - HIER_DIRECT/swisssign.net - -

I do have "http_access allow localhost" in squid.conf, but since there's
no IP associated with the request, this does not seem to help.

Is there a way to allow these outgoing internal requests? I've looked
through the FAQ and wiki, but couldn't find anything on the topic.

Thanks & best

/markus
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux