Hello.
Running Squid 4.11 on FreeBSD 11.3 with SSLBump, since a few days, I've
got several sites (e.g. https://www.kawsaki.it/) failing with:
The following error was encountered while trying to retrieve the URL: https://www.kawasaki.it/*
Failed to establish a secure connection to 54.39.161.167
The system returned:
(92) Protocol error (TLS code: X509_V_ERR_CERT_HAS_EXPIRED)
SSL Certificate expired on: May 30 10:48:38 2020 GMT
This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.
When this happens, in cache.log I see:
2020/06/23 15:03:31 kid1| ERROR: negotiating TLS on FD 33: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
2020/06/23 15:03:31 kid1| ERROR: negotiating TLS on FD 33: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
2020/06/23 15:03:31 kid1| ERROR: negotiating TLS on FD 53: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
I know an intermediate certificate expired, but a new one should have
been published.
What I find strange, is that using openssl directly succeeds:
# openssl s_client -connect www.kawasaki.it:https
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert CN RSA CA G1
verify return:1
depth=0 C = CN, ST = \E7\A6\8F\E5\BB\BA\E7\9C\81, L = \E5\8E\A6\E9\97\A8\E5\B8\82, O = \E7\BD\91\E5\AE\BF\E7\A7\91\E6\8A\80\E8\82\A1\E4\BB\BD\E6\9C\89\E9\99\90\E5\85\AC\E5\8F\B8\E5\8E\A6\E9\97\A8\E5\88\86\E5\85\AC\E5\8F\B8, OU = IT, CN = webssl.chinanetcenter.com
verify return:1
---
Certificate chain
0 s:/C=CN/ST=\xE7\xA6\x8F\xE5\xBB\xBA\xE7\x9C\x81/L=\xE5\x8E\xA6\xE9\x97\xA8\xE5\xB8\x82/O=\xE7\xBD\x91\xE5\xAE\xBF\xE7\xA7\x91\xE6\x8A\x80\xE8\x82\xA1\xE4\xBB\xBD\xE6\x9C\x89\xE9\x99\x90\xE5\x85\xAC\xE5\x8F\xB8\xE5\x8E\xA6\xE9\x97\xA8\xE5\x88\x86\xE5\x85\xAC\xE5\x8F\xB8/OU=IT/CN=webssl.chinanetcenter.com
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert CN RSA CA G1
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert CN RSA CA G1
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIWEDCCFPigAwIBAgIQA1RHNwOepXqwyoBuZiYbQTANBgkqhkiG9w0BAQsFADBf
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMR4wHAYDVQQDExVEaWdpQ2VydCBDTiBSU0EgQ0EgRzEw
HhcNMjAwNjE5MDAwMDAwWhcNMjAxMTA5MTIwMDAwWjCBnjELMAkGA1UEBhMCQ04x
EjAQBgNVBAgMCeemj+W7uuecgTESMBAGA1UEBwwJ5Y6m6Zeo5biCMTYwNAYDVQQK
DC3nvZHlrr/np5HmioDogqHku73mnInpmZDlhazlj7jljqbpl6jliIblhazlj7gx
CzAJBgNVBAsTAklUMSIwIAYDVQQDExl3ZWJzc2wuY2hpbmFuZXRjZW50ZXIuY29t
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA11rUTXwosZacGiiTO6+o
Qhm7qZzl8T5fGeNwXsZw/EGtCcySXD8pQ33+IpMdXq8hi5EaBXeHCpUs4UCg4S1S
WXlfGr3PbP+SwLRiXGGNPOPYywLX8N0SyDy1VOkrMHHDRscbf1x6pSJpSTRkNqXS
7+/zFTP26fDpvVlgG3U9VpAf7jpCg+xO2ppCbEyKEd02DGNSzSC0vmBJnsg/vI+j
E8kpiDLjBXAIl5nSns6rChXgxH9/BO60Vef+R3lA5EMVUp31CzhkvjNrk9pcSVbw
6AVKlEU314G5diBe/ju0Vie/rnUHXb9FIIHN8+XiNhLBGK2TrgpYvba7gC+wkvVu
ZwIDAQABo4IShjCCEoIwHwYDVR0jBBgwFoAU70ULeBWRpbbRc6SSb2NaWdNfPp0w
HQYDVR0OBBYEFGdOsyhZD+/HmDtCHqpecLdpZvYeMIIPwgYDVR0RBIIPuTCCD7WC
CiouY2N0di5jb22CCSouMTYzLmNvbYIPKi5jaGluYWxpdmUuY29tgg0qLmNjdHZw
aWMuY29tggwqLmlzZWV5b28uY26CECouMjAxMGV4cG90di5jb22CCSouY2N0di5j
boIMKi5zYW1sY3IuY29tggoqLnN5eXguY29tgg8qLnpodW9xdWFwcC5jb22CDSou
NTA1NDM5OS5jb22CDyouYWl3YW40Mzk5LmNvbYIKKi4zODM5LmNvbYIJKi40Mzk5
LmNugggqLjU2LmNvbYIJKi5jbnR2LmNugg4qLml3YW40Mzk5LmNvbYIOKi5saXZl
Y2hpbmEuY26CDyoubGl2ZWNoaW5hLmNvbYIQKi5taXRhZ3Rlbm5pLm5ldIIOKi5v
dXJkdnNzcy5jb22CDSouZGViZW5jZS5uZXSCDSouMzgzOWFwcC5jb22CDSouZGF5
amF1eS5uZXSCDSouYm13Z3JvdXAuY26CDCouZm94aWpuLmNvbYIPKi5jaGlkYXJl
c3MuY29tgg4qLmNvdmluaXlhLmNvbYINKi5pbWc0Mzk5LmNvbYIKKi4xMjM3MS5j
boIMKi5pcGFuZGEubmV0ggwzMDAwdGVzdC5jb22CCyouaTM4MzkuY29tggsqLmlw
MTM4LmNvbYIJaXAxMzguY29tggwqLnpoZTgwMC5jb22CDSoudnhpbnlvdS5jb22C
DCouNDM5OWtlLmNvbYIKKi4zMDAwLmNvbYIQKi40Mzk5eW91cGFpLmNvbYIMKi55
eGhoZGwuY29tgg0qLjMwMDBhcGkuY29tgg4qLmt1eWlueXVuLmNvbYIOKi5rdXlp
bjEyMy5jb22CDCouZGl5cmluZy5jY4IOKi4zMDAwdGVzdC5jb22CDCoubWVpcGFp
LmNvbYISKi5jYW5rYW94aWFveGkuY29tggsqLmNudHZ3Yi5jboIQKi5pYW5ub25l
a3RtLm5ldIIMKi5pcGFuZGEuY29tggsqLmlwYW5kYS5jboINKi40Mzk5YXBpLm5l
dIINKi51bmNjb2RvLmNvbYIPKi5tZWl0dWRhdGEuY29tggsqLm1laXR1LmNvbYIK
Ki40Mzk5LmNvbYIPKi5uZXdzLmNjdHYuY29tghEqLm5ld2VyYS5jY3R2LmNvbYIS
Ki5vcGVuY2xhLmNjdHYuY29tghYqLm5ld3Njb250ZW50LmNjdHYuY29tgg4qLm5u
bi5jY3R2LmNvbYIOKi5uZXdzLmNudHYuY26CDyoubGl2ZS5jY3R2LmNvbYIUKi5u
ZXdjb21tZW50LmNudHYuY26CESouaXR2LmNjdHZwaWMuY29tgg0qLmltZy5jbnR2
LmNughMqLmltZy5saXZlY2hpbmEuY29tgg8qLmlwYW5kYS5jb20uY26CDiouaXBy
LmNjdHYuY29tgg0qLmlwci5jbnR2LmNughAqLmlzaG93LmNjdHYuY29tgg4qLml0
di5jY3R2LmNvbYINKi5pdHYuY250di5jboIWKi5uY3BhLWNsYXNzaWMuY250di5j
boINKi5vdnAuY250di5jboIOKi5saXZlLmNudHYuY26CDioubWFpbC5jbnR2LmNu
gg8qLm1pbmkuY2N0di5jb22CESoubW9uZ29sLmNjdHYuY29tghAqLm1vbmdvbC5j
bnR2LmNuggwqLm15LmNudHYuY26CDSoub3BzLmNudHYuY26CDCoudC5jY3R2LmNv
bYITKi5wYXNzcG9ydC5jY3R2LmNvbYIRKi53ZWJhcHAuY2N0di5jb22CDioudi5p
cGFuZGEuY29tghAqLnZpZGVvLmNjdHYuY29tgg0qLnZpcC5jbnR2LmNugg4qLnZt
cy5jY3R2LmNvbYIPKi52b3RlLmNjdHYuY29tgg4qLnZvdGUuY250di5jboINKi52
cG4uY250di5jboINKi53eC5jY3R2LmNvbYIMKi52LmNjdHYuY29tggwqLnd4LmNu
dHYuY26CDyoud3hhcHAuY250di5jboIQKi54aXlvdS5jY3R2LmNvbYIPKi54aXlv
dS5jbnR2LmNugg0qLnlwLmNjdHYuY29tgg8qLnlzZHguY2N0di5jb22CFW1pY3Jv
Z2FtZS41MDU0Mzk5Lm5ldIINaW1nLjcxYWNnLm5ldIILKi52LmNudHYuY26CDyou
dW5pb24uY250di5jboISKi5wYXNzcG9ydC5jbnR2LmNughEqLnNwb3J0cy5jY3R2
LmNvbYINKi5wYXkuY250di5jboIQKi5wbGF5ZXIuY250di5jboILKi5xLmNudHYu
Y26CDSoucXIuY2N0di5jb22CDCoucXIuY250di5jboIOKi5zZGMuY2N0di5jb22C
DSouc21zLmNudHYuY26CECouc3BvcnRzLmNudHYuY26CECoudW5pb24uY2N0di5j
b22CDyouc3RhZmYuY250di5jboIOKi5pbWcuY2N0di5jb22CDSoudGMuY2N0di5j
b22CFCoudGVjaGNlbnRlci5jbnR2LmNugg4qLnRlc3QuY250di5jboIQKi50cmF2
ZWwuY250di5jboINKi50di5jY3R2LmNvbYIMKi50di5jbnR2LmNughEqLmltZy5j
Y3R2cGljLmNvbYIZd2Vic3NsLmNoaW5hbmV0Y2VudGVyLmNvbYIic2VjdXJlLWlu
dC13ZWItdGljLWNuLmJtd2dyb3VwLmNvbYIcc2VjdXJlLWluZm9uZXQzLmJtd2dy
b3VwLmNvbYIOKi5hZHMuY2N0di5jb22CDyouNXBsdXMuY250di5jboIMdy50YW5j
ZG4uY29tghFjcGcubWVpdHViYXNlLmNvbYIWd3d3Lm1pbml0aGVjb29wZXJzLmNv
bYITKi5zZXJ2aWNlLmt1Z291LmNvbYIec2VjdXJlLXdlYi10aWMtY24uYm13Z3Jv
dXAuY29tgiBzZWN1cmUtaW5mb25ldDItaW50LmJtd2dyb3VwLmNvbYInc2VjdXJl
LWludC13ZWItdGljLW1pbmktY24uYm13Z3JvdXAuY29tgiNzZWN1cmUtd2ViLXRp
Yy1taW5pLWNuLmJtd2dyb3VwLmNvbYIgc2VjdXJlLWluZm9uZXQzLWludC5ibXdn
cm91cC5jb22CEmNtc2NuLmJtd2dyb3VwLmNvbYISKi5nZGpoLnZ4aW55b3UuY29t
ggsqLnFmLjU2LmNvbYINbS40Mzk5YXBpLmNvbYIPYXV0by50YW5jZG4uY29tghBz
ai5uenNpdGVyZXMuY29tghFmYW54aW5nLmt1Z291LmNvbYIMc3MuM3oyMjIuY29t
gglzcy45azkuY26CFHl4ZC5mbGFzaGdhbWUxNjMuY29tghAqLnNlcnZ5b3UuY29t
LmNughJtZmFueGluZy5rdWdvdS5jb22CCnNzby41Ni5jb22CDSouYXBpLmNudHYu
Y26CDyouMjAwOC5jY3R2LmNvbYIOKi5hcHAuY2N0di5jb22CDiouY2JveC5jbnR2
LmNughMqLmRvd25sb2FkLmNjdHYuY29tghIqLmRpYW55aW5nLmNudHYuY26CFCou
ZGVuZ3poZXdvLmNjdHYuY29tgg8qLmRhdGEuY2N0di5jb22CEiouY3BvcnRhbC5j
Y3R2LmNvbYIPKi5jcGM5MC5jbnR2LmNugg0qLmNudHYuY29tLmNugg0qLmNtcy5j
bnR2LmNughAqLmNjdHY1LmNjdHYuY29tgg0qLmFwcC5jbnR2LmNugg9taC50aWFu
Y2l0eS5jb22CDSouY2N0di5jb20uY26CDyouYmxvZy5jY3R2LmNvbYIQKi5iYWln
ZS5jY3R2LmNvbYIPKi5hcHAuY250dndiLmNugg8qLmFwcHMuY2N0di5jb22CDSou
YmJzLmNudHYuY26CDyouYXJ0cy5jY3R2LmNvbYIPKi5iYWlkdS5jbnR2LmNugg4q
LmFwcHMuY250di5jboISZmFueGluZzIua3Vnb3UuY29tgg4qLmJicy5jY3R2LmNv
bYIUbml0cm9tZS5jb20uNDM5OS5jb22CG2FwaS5iZWF1dHltYXN0ZXIubWVpeWFu
LmNvbYIVaW9zLmh4ankuaXdhbjQzOTkuY29tghpoNS5iZWF1dHltYXN0ZXIubWVp
eWFuLmNvbYIYYXBpLnNlbGZpZWNpdHkubWVpdHUuY29tghdoNS5zZWxmaWVjaXR5
Lm1laXR1LmNvbYIWYXBpLnBob3RvLm1laXR1eXVuLmNvbYISaW0ubGl2ZS5tZWlw
YWkuY29tghRhcGkueGl1eGl1Lm1laXR1LmNvbYIYeGl1eGl1Lmh1b2RvbmcubWVp
dHUuY29tghhjZG4uaHhqeWlvcy5pd2FuNDM5OS5jb22CF2RsLmdpdmluZ3RhbGVz
Lmd4cGFuLmNughBpZC5hcGkubWVpdHUuY29tghRhcGkubWFrZXVwLm1laXR1LmNv
bYISb3Blbi53ZWIubWVpdHUuY29tghR4aXV4aXUud2ViLm1laXR1LmNvbYIUc3Rh
dGljLmJzdC5tZWl0dS5jb22CFCouZ3JpZHN1bS52ZC5jbnR2LmNughIqLnZkbi5h
cHBzLmNudHYuY26CEHVwbG9hZC5xZi41Ni5jb22CEiouZGlhcnkubXkuY250di5j
boIUKi5pbnRsLjIwMDguY2N0di5jb22CEmRsLmpwaGJway5neHBhbi5jboIVKi5j
YnMuc3BvcnRzLmNjdHYuY29tghgqLm11c2V1bS5pbWcuY2N0dnBpYy5jb22CFiou
YXBpLmNwb3J0YWwuY2N0di5jb22CFioubmV3cy5pbWcuY2N0dnBpYy5jb22CH2Rs
b3lhbHR5cGFydG5lci5jbi5ibXdncm91cC5jb22CHmRsb3lhbHR5ZGVhbGVyLmNu
LmJtd2dyb3VwLmNvbYIdZGxveWFsdHlhZG1pbi5jbi5ibXdncm91cC5jb22CHmRs
b3lhbHR5cmVwb3J0LmNuLmJtd2dyb3VwLmNvbYIZcHZtZXNzYWdlLmNuLmJtd2dy
b3VwLmNvbYIVKi5oZC5jcG9ydGFsLmNjdHYuY29tghgqLnNwb3J0cy5pbWcuY2N0
dnBpYy5jb22CFiouc3RhdGljLjIwMDguY2N0di5jb22CEyoudHYuY2N0djUuY2N0
di5jb22CDm0uYmJzLjM4MzkuY29tghVjZG4uc3Nqai5pd2FuNDM5OS5jb22CESou
di4yMDA4LmNjdHYuY29tghBjZG4uZGFubXUuNTYuY29tghRjZG4uaDV3YW4uNDM5
OXNqLmNvbYIbd3d3Lm1pbmljbGlwLmNvbS40Mzk5cGsuY29tMA4GA1UdDwEB/wQE
AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0
oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0Q05SU0FDQUcx
LmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0Q05S
U0FDQUcxLmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIB
FhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjBvBggrBgEF
BQcBAQRjMGEwIQYIKwYBBQUHMAGGFWh0dHA6Ly9vY3NwLmRjb2NzcC5jbjA8Bggr
BgEFBQcwAoYwaHR0cDovL2NybC5kaWdpY2VydC1jbi5jb20vRGlnaUNlcnRDTlJT
QUNBRzEuY3J0MAwGA1UdEwEB/wQCMAAwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEA
dgAHt1wb5X1o//Gwxh0jFce65ld8V5S3au68YToaadOiHAAAAXLKnX81AAAEAwBH
MEUCICQ38xCx2oi4RdWoHG37l5LfXuX6sYDFziYtIpljwgpVAiEAzSxc3uErukR8
NgB/v65pyXrBmmZGvoAEyFp7YQcA1qYAdwBep3P531bA57U2SH3QSeAyepGaDISh
EhKEGHWWgXFFWAAAAXLKnX66AAAEAwBIMEYCIQD2lWe7lQe3TGClTe9fsJ7FyzjF
eEz15SyKOOdXF9VXxAIhAJZbRlEgVHC+pirpGXg7NjPaavEJm0p6F0TzcUYrnbWB
MA0GCSqGSIb3DQEBCwUAA4IBAQB8k8PLcRM5n+0gMaqPoCHyWiONOAzo+nUzUwKl
ZqaglB/s/ARo4tSnAj9cqPxryxw6gHt/waaHKucRMdJIALCiD6KMxaJfdq+RWeNs
U9sb66G0S13I6viXPZQWRvyvqCnH8+VIeixg8ju68sjAFlYzO1lVTMfb6jZgpoGn
/hBWMC5Ya4Y37PZjTXtF/3nH47+6n5qJi5d6kY4NPedOHo6ICa1GEroCFnNtmKol
P4FopEjjCC7OPdWzGMtR+KGqiOUle1g4OwCd7/poKWuz73ae7T1Q0hhMOgs/wxC+
9dCRobbSomi61cNd42Y0zhvAws/Yfyw4GVFSJkIB+CqLdVOf
-----END CERTIFICATE-----
subject=/C=CN/ST=\xE7\xA6\x8F\xE5\xBB\xBA\xE7\x9C\x81/L=\xE5\x8E\xA6\xE9\x97\xA8\xE5\xB8\x82/O=\xE7\xBD\x91\xE5\xAE\xBF\xE7\xA7\x91\xE6\x8A\x80\xE8\x82\xA1\xE4\xBB\xBD\xE6\x9C\x89\xE9\x99\x90\xE5\x85\xAC\xE5\x8F\xB8\xE5\x8E\xA6\xE9\x97\xA8\xE5\x88\x86\xE5\x85\xAC\xE5\x8F\xB8/OU=IT/CN=webssl.chinanetcenter.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert CN RSA CA G1
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 7635 bytes and written 433 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 82265A527B8027908036EBB9486CC7A048E484F836AD3250952976969D95E12D
Session-ID-ctx:
Master-Key: 0738979C685DE1EFC159C9D21453A069379651D1B28326165A5C0C52265EE4601ED6D01BB44D74FFDEBACF7F73085853
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - f9 b5 c9 ba 56 9e 82 e9-e0 9e d1 09 bd 1e e3 ee ....V...........
0010 - 24 0d 2a a3 ec c9 76 e3-60 b9 03 ff 86 62 e5 f3 $.*...v.`....b..
0020 - e4 28 3f e2 1b 3f 9a 42-3e 89 ce 5d b0 5a 78 3a .(?..?.B>..].Zx:
0030 - 27 fa e3 0d f2 e8 72 2f-92 c5 a8 14 cd f3 22 0b '.....r/......".
0040 - bc ec e3 f3 74 95 cf 07-56 b8 37 e1 a0 66 a5 23 ....t...V.7..f.#
0050 - 92 03 f3 b4 5b 47 4f f8-a0 11 c2 a2 9a 48 b5 6f ....[GO......H.o
0060 - 6a e0 e6 2d ac f6 dc 23-32 ea b3 1a 92 11 ba f9 j..-...#2.......
0070 - 3c 4b 51 c8 3f ff 2d 37-15 89 56 2c 8e 63 ab 08 <KQ.?.-7..V,.c..
0080 - 0d 54 be fd f2 7c 3b 3a-2f 58 79 3d f6 58 31 91 .T...|;:/Xy=.X1.
0090 - 22 01 9e 2b 9a 62 fd 7b-3a 0b f0 71 f6 56 77 28 "..+.b.{:..q.Vw(
00a0 - 39 a3 0e 51 1e 39 fb b9-56 94 85 3c 93 7d e7 e1 9..Q.9..V..<.}..
Start Time: 1592924413
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Why this?
Does Squid perform something different from OpenSSL?
Does it have some certificate cache I should clear? How?
bye & Thanks
av.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
