On 1/18/19 4:35 AM, Dmitry Melekhov wrote: > > 17.01.2019 21:02, Alex Rousskov пишет: >> On 1/16/19 10:30 PM, Dmitry Melekhov wrote: >> >>> 2019/01/17 09:18:21 kid1| ERROR: negotiating TLS on FD 55: >>> error:14090086:SSL routines:ssl3_get_server_certificate:certificate >>> verify failed (1/-1/0) >> >>> In access log: >>> 1547702300.945 0 192.168.22.229 NONE/503 329 GET >>> https://lkk-udm.esplus.ru/Services/Auth.asmx/Safe? dm HIER_NONE/- >>> text/html >>> 1547702301.304 84 - TCP_MISS/404 162 GET >>> http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt-/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff-GETmyip=-myport=0 >>> - HIER_DIRECT/91.199.212.52 text/html >> Your Squid (or some helper) appears to be adding an >> "-/ffff...GETmyip=-myport=0" suffix to the crt.sectigo.com URL, >> resulting in a 404 response from that server. > Yes, I suspected this, there is no helper which can add this, as far as > I know > can squid add this Squid itself does not add non-trivial paths to URLs. If your Squid does not have a URL rewriter or an adaptation service, and the certificate your Squid receives does not containt that weird URL, then this is probably a Squid bug such as using an "unterminated c-string" when forming the request URL. If you can reproduce, it may be fairly easy to distinguish bugs from helpers from certificates as the source of this problem using an ALL,9 cache.log. Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
