This is a simple one. The certificate chain of that website is incorrect. As shown here : https://www.ssllabs.com/ssltest/analyze.html?d=www.formulare%2dbfinv.de&latest Check you webserver first and correct you ciphers in your apache webserver. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: squid-users > [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens Dieter Bloms > Verzonden: woensdag 8 april 2020 13:37 > Aan: squid-users@xxxxxxxxxxxxxxxxxxxxx > Onderwerp: sometimes intermediate certificates > were not downloaded when using sslbump > > Hello, > > I use a self compiled squid 4.10 compiled as follow: > > ~# squid --version > Squid Cache: Version 4.10 > Service Name: squid > > This binary uses OpenSSL 1.1.1d 10 Sep 2019. For legal > restrictions on distribution see > https://www.openssl.org/source/license.html > > configure options: '--prefix=/usr' '--sysconfdir=/etc/squid' > '--bindir=/usr/sbin' '--sbindir=/usr/sbin' > '--localstatedir=/var' '--libexecdir=/usr/sbin' > '--datadir=/usr/share/squid' '--mandir=/usr/share/man' > '--with-default-user=squid' '--with-filedescriptors=131072' > '--with-logdir=/var/log/squid' '--disable-auto-locale' > '--disable-auth-negotiate' '--disable-auth-ntlm' > '--disable-eui' '--disable-carp' '--disable-htcp' > '--disable-ident-lookups' '--disable-loadable-modules' > '--disable-translation' '--disable-wccp' '--disable-wccpv2' > '--enable-async-io=128' '--enable-auth' > '--enable-auth-basic=LDAP NCSA' '--enable-auth-digest=LDAP > file' '--enable-epoll' '--enable-log-daemon-helpers=file' > '--enable-icap-client' '--enable-inline' '--enable-snmp' > '--enable-disk-io=AIO,DiskThreads,IpcIo,Blocking' > '--enable-storeio=ufs,aufs,rock' '--enable-referer-log' > '--enable-useragent-log' '--enable-large-cache-files' > '--enable-removal-policies=lru,heap' > '--enable-follow-x-forwarded-for' '--enable-ssl-crtd' '--with-openssl' > > in squid.conf I set following acl at the very benning of acl section: > > # allow fetching of missing intermediate certificates > acl fetch_intermediate_certificate transaction_initiator > certificate-fetching > cache allow fetch_intermediate_certificate > cache deny all > http_access allow fetch_intermediate_certificate > > and squid fetches intermediate certificates for websites > like: https://incomplete-chain.badssl.com/ > But squid doesn't fetch the intermediate certificates for the > site https://www.formulare-bfinv.de/ > and I don't know why. > > I checked all AiA entries in the certificates and it looks good to me. > > Can anybody try the site https://www.formulare-bfinv.de/ with > enabled sslbump, > so I can see whether my installation is broken or the > webserver configuration isn't correct ? > > Thank you very much. > > -- > Best regards > > Dieter Bloms > > -- > I do not get viruses because I do not use MS software. > If you use Outlook then please do not put my email address in your > address-book so that WHEN you get a virus it won't use my > address in the > From field. > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
