On 6/23/20 11:04 AM, Andrea Venturoli wrote: > Running Squid 4.11 on FreeBSD 11.3 with SSLBump, since a few days, I've > got several sites (e.g. https://www.kawsaki.it/) failing with: > >> The following error was encountered while trying to retrieve the URL: >> https://www.kawasaki.it/* >> >> Failed to establish a secure connection to 54.39.161.167 >> >> The system returned: >> >> (92) Protocol error (TLS code: X509_V_ERR_CERT_HAS_EXPIRED) >> >> SSL Certificate expired on: May 30 10:48:38 2020 GMT > When this happens, in cache.log I see: >> 2020/06/23 15:03:31 kid1| ERROR: negotiating TLS on FD 33: >> error:14090086:SSL routines:ssl3_get_server_certificate:certificate >> verify failed (1/-1/0) > I know an intermediate certificate expired, but a new one should have > been published. > Does Squid perform something different from OpenSSL? Yes, Squid has custom TLS-related code, including certificate validation, generation, and fetching code. > Does it have some certificate cache Yes, there can be two or even four caches in play here: 1. The in-RAM cache of generated fake certificates (see dynamic_cert_mem_cache_size), 2. on-disk cache of generated fake certificates (see sslcrtd_program), 3. a regular HTTP in-RAM cache (see cache_mem) that may keep a copy of the intermediate certificate downloaded by Squid. 4. a regular HTTP on-disk cache (see cache_dir) that may keep a copy of the intermediate certificate downloaded by Squid. > I should clear? *If* Squid is caching an expired certificate without revalidation, then this is essentially a Squid bug. There are many unknowns here, so I cannot confirm or deny the existence of such a bug without spending more free time which I do not have (unfortunately). I also do not know (did not check) whether Squid is caching the expired fake certificate and/or the real intermediate one. You can try to fix the problem or workaround the Squid bug by clearing the caches. > How? I would begin with a full Squid shutdown and start. This will clear all in-RAM caches. If the problem persists, you can remove the entire on-disk certificate generator cache (or extract the bad certificates from it, but that requires even more work). See sslcrtd_program for more info on that cache location. Do not forget to re-initialize it! If the problem persists, you can remove the entire on-disk HTTP cache (or extract the bad certificates from it, but that requires even more work). See cache_dir for more info on that cache location. Do not forget to re-initialize it! I cannot give you step-by-step instructions, but others on the list may pitch in as you make progress in your triage using the above hints. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
