On 26/01/18 17:50, Alex Rousskov wrote:
On 01/26/2018 02:30 AM, Alex Crow wrote:
I've just set up a new SSL interception proxy using peek/splice/bump
using squid 4.0.22 and I'm getting SSL errors on some site indicating
missing intermediate certs as described here:
https://blog.diladele.com/2015/04/21/fixing-x509_v_err_unable_to_get_issuer_cert_locally-on-ssl-bumping-squid/
I have read the wiki and I see this on the SslBumpExplicit page:
"Squid-4 <https://wiki.squid-cache.org/Squid-4> is capable of
downloading missing intermediate CA certificates, like popular browsers do."
However I'm finding that I have to follow the procedure in the diladele
article and manually install the intermediate certs into the PKI trust
to work around this.
Several cases are possible here:
1. Squid is missing the root certificate used by the origin server.
Neither Squid nor browsers can fetch root certificates automatically
(for hopefully obvious reasons).
2. Squid is missing an intermediate certificate used by the origin
server, and the origin server provided no instructions on how to fetch
that missing certificate automatically. Neither Squid (for sure) nor
browsers (AFAIK) can fetch missing intermediate certificates
automatically if they are not given origin server instructions of where
to get them. Those instructions are usually given as various extension
fields in signed certificates.
3. Squid is missing an intermediate certificate used by the origin
server, the origin server provided instructions on how to fetch that
missing certificate automatically, but Squid does not understand/support
those instructions. There are several instruction formats/variants, and
Squid does not support some of them. Please consider adding that support
to Squid (requires writing code or sponsoring development).
4. Squid is missing an intermediate certificate used by the origin
server, the origin server provided instructions on how to fetch that
missing certificate automatically, Squid followed those instructions,
but something went wrong. Study detailed Squid debugging logs or post
them for analysis by others.
You need to study each error to understand which case applies to it.
To make matters worse, a combination of #1 and other cases is possible:
Sometimes, automatically fetching a missing certificate leads to
certificate validation problems that could have been avoided if Squid
had the right (and different) trusted certificate in the first place:
https://github.com/squid-cache/squid/commit/9ef7d9d5ddef54283cea4f1fdb7b3bbc1715755c
I doubt Squid logs enough information (by default) to quickly and easily
distinguish the four cases for a given error -- you may need to study
the origin server certificates and Squid logs. For example, #4 should
manifest itself as access.log errors associated with failed certificate
fetching requests.
As the solution for #1-2 or workaround for #3-4, if you trust the
missing certificate, manually add it to your trust store (which is what
you were doing).
HTH,
Alex.
Thanks very much Alex. I thought it might be something like that. I'm
guessing it's most likely #3 or #4 as the site works direct from the
browser.
Cheers
Alex
--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.
"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
