Search squid archive

Re: squid doesn't fetch the intermediate certificate for some sites

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 21.07.20 09:41, Dieter Bloms wrote:

we use the sslbump feature and it works very well.
But some sites can't be reached because of missing intermediate
certificate.

In squid.conf we have configured the following parameters:

--snip--
# allow fetching of missing intermediate certificates
acl fetch_intermediate_certificate transaction_initiator certificate-fetching
http_access allow fetch_intermediate_certificate
cache allow fetch_intermediate_certificate
cache deny all
--snip--

and fetching the intermediate certificate works for sites like: https://incomplete-chain.badssl.com/

but for some sites like https://mycase.cloudapps.cisco.com/
squid doesn't fetch the intermediate certificate and returns X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY

In my eyes the certificate of mycase.cloudapps.cisco.com contains an AiA
record.

output of openssl on certificate of mycase.cloudapps.cisco.com
--snip--
           Authority Information Access:
               CA Issuers - URI:http://trust.quovadisglobal.com/hydsslg2.crt
               OCSP - URI:http://ocsp.quovadisglobal.com
--snip--

so does anybody see what's the reason, why squid doesn't download the
intermediate certificate for mycase.cloudapps.cisco.com ?


squid can't download certificates other than the website provides.
if a website does not provide valid certificate chain, it's up to the client
to produce an error. With browser, you can allow the certificate explicitly.

It is also possible that browser has the intermediace certificate
remembered.

testing certificate for mycase.cloudapps.cisco.com shows only one
certificate I can see:

Certificate chain
0 s:C = US, ST = California, L = San Jose, O = "Cisco Systems, Inc.", CN = mycase.cloudapps.cisco.com
  i:C = US, O = HydrantID (Avalanche Cloud Corporation), CN = HydrantID SSL ICA G2

the HydrantID SSL ICA G2 certificate seems to be missing here.



--
Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows 2000: 640 MB ought to be enough for anybody
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux