When there is an issue with a certificate, it is good practice to go to ssllabs to verify what is going on.
https://www.ssllabs.com/ssltest/analyze.html?d=i.bps%2dsberbank.by&hideResults=on&latest
shows that there is an incomplete certificate chain issue (in orange) which means that the server of the bank does not send all (intermediate) certificates.
Click on the blue '+' of certification paths and it shows that the 'GeoTrust RSA CA 2018' (intermediate certificate) had to be downloaded.
The messages are not from Squid but from ufdbGuard which apparently is configured with an option to block the URL is case of a certificate issue.
Since Squid already checks for valid certificate chains, I suggest to turn this option off in ufdbGuard.
Marcus
On 31/10/2018 11:48, Vacheslav wrote:
I do not use bump or splice if that is what you mean. I do not import certificates.. it works without proxy.
-----Original Message-----
From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Matus UHLAR - fantomas
Sent: Wednesday, October 31, 2018 5:46 PM
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: bank blocked
On 31.10.18 17:41, Vacheslav wrote:
2018-10-31 17:34:45 [4270] TLSv1.2 certificate for i.bps-sberbank.by:443: UNRECOGNISED ISSUER (maybe a certificate chain issue) *****
2018-10-31 17:34:45 [4270] issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
does your system recopgnize this authority? Do have actual list of CAs?
2018-10-31 17:34:45 [4270] subject: /C=BY/L=Minsk/O=BPS-Sberbank OAO/OU=Head Office/CN=*.bps-sberbank.by
2018-10-31 17:34:45 [4270] TLSv1.2 connection to i.bps-sberbank.by:443 has error code 12. It is marked as a TLS/SSL certificate issue
2018-10-31 17:34:45 [4270] BLOCK - 10.17.10.17 config https-option i.bps-sberbank.by:443 CONNECT
What is wrong?
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
