On 01/26/2018 02:30 AM, Alex Crow wrote: > I've just set up a new SSL interception proxy using peek/splice/bump > using squid 4.0.22 and I'm getting SSL errors on some site indicating > missing intermediate certs as described here: > > https://blog.diladele.com/2015/04/21/fixing-x509_v_err_unable_to_get_issuer_cert_locally-on-ssl-bumping-squid/ > > I have read the wiki and I see this on the SslBumpExplicit page: > > "Squid-4 <https://wiki.squid-cache.org/Squid-4> is capable of > downloading missing intermediate CA certificates, like popular browsers do." > > However I'm finding that I have to follow the procedure in the diladele > article and manually install the intermediate certs into the PKI trust > to work around this. Several cases are possible here: 1. Squid is missing the root certificate used by the origin server. Neither Squid nor browsers can fetch root certificates automatically (for hopefully obvious reasons). 2. Squid is missing an intermediate certificate used by the origin server, and the origin server provided no instructions on how to fetch that missing certificate automatically. Neither Squid (for sure) nor browsers (AFAIK) can fetch missing intermediate certificates automatically if they are not given origin server instructions of where to get them. Those instructions are usually given as various extension fields in signed certificates. 3. Squid is missing an intermediate certificate used by the origin server, the origin server provided instructions on how to fetch that missing certificate automatically, but Squid does not understand/support those instructions. There are several instruction formats/variants, and Squid does not support some of them. Please consider adding that support to Squid (requires writing code or sponsoring development). 4. Squid is missing an intermediate certificate used by the origin server, the origin server provided instructions on how to fetch that missing certificate automatically, Squid followed those instructions, but something went wrong. Study detailed Squid debugging logs or post them for analysis by others. You need to study each error to understand which case applies to it. To make matters worse, a combination of #1 and other cases is possible: Sometimes, automatically fetching a missing certificate leads to certificate validation problems that could have been avoided if Squid had the right (and different) trusted certificate in the first place: https://github.com/squid-cache/squid/commit/9ef7d9d5ddef54283cea4f1fdb7b3bbc1715755c I doubt Squid logs enough information (by default) to quickly and easily distinguish the four cases for a given error -- you may need to study the origin server certificates and Squid logs. For example, #4 should manifest itself as access.log errors associated with failed certificate fetching requests. As the solution for #1-2 or workaround for #3-4, if you trust the missing certificate, manually add it to your trust store (which is what you were doing). HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users