17.01.2019 21:02, Alex Rousskov пишет:
On 1/16/19 10:30 PM, Dmitry Melekhov wrote:
2019/01/17 09:18:21 kid1| ERROR: negotiating TLS on FD 55: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
In access log:
1547702300.945 0 192.168.22.229 NONE/503 329 GET https://lkk-udm.esplus.ru/Services/Auth.asmx/Safe? dm HIER_NONE/- text/html
1547702301.304 84 - TCP_MISS/404 162 GET http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt-/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff-GETmyip=-myport=0 - HIER_DIRECT/91.199.212.52 text/html
Your Squid (or some helper) appears to be adding an
"-/ffff...GETmyip=-myport=0" suffix to the crt.sectigo.com URL,
resulting in a 404 response from that server. That suffix is not present
in the lkk-udm.esplus.ru certificate AFAICT:
Yes, I suspected this, there is no helper which can add this, as far as
I know, I'm out of office till Monday, I'll turn everything possible off
on Monday, and retest,
but I don't th think is is helper...
Could you tell me - can squid add this and , if yes, how can I turn
this off?
Thank you!
$ openssl x509 -in cert.pem -noout -text | fgrep http:
URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
OCSP - URI:http://ocsp.comodoca.com
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
