Search squid archive

Re: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 05/09/17 04:20, erdosain9 wrote:

Hi.
Im having a lot of this in cache.log... is this normal?? The https is access
is working fine... but i have those error.


> 2017/09/04 13:10:58 kid1| Error negotiating SSL on FD 467:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify 
> failed (
> 1/-1/0)


Yes and no. "Normal" is relative to why it is happening.
eg if your network is under attack it is "normal" to see signs like this, but hardly desirable.
On the other hand if the CA certificate being verified has expired or revoked it is both normal and desirable to see these instead of letting the traffic though. Opinions on that differ a lot though.
* Check that your Squid machines ca-certificates are up to date with the latest ones available. That can make your proxy unable to deal with CA changes unless you stay up to date. Regular updates are on the order of weeks, but can happen with no notice if any CA is breached or goes rogue.
* Check that your crypto library is also the latest available. Some types of change in TLS extensions can lead to cert errors if the library does not understand what fields in the server cert mean. This also helps prevent many cipher related errors.
* Take a closer look at the HTTP(S) transaction using the mentioned FD number. That may need a section 11,2 trace to see the URL and server names and/or IP. See if the openssl command line tools can tell you what is non-verifiable about the server cert.
* If it turns out to be an intermediary cert not known by Squid, check carefully whether you actually want to trust it. If so you can use sslproxy_foreign_intermediate_certs to load it explicitly (or Squid-4 should auto-download as needed). 
<http://www.squid-cache.org/Doc/config/sslproxy_foreign_intermediate_certs/>
It is rarely any other type of occurance that can be solved by Squid. The above should provide some clues to further debugging if necessary. 

Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux