Hello Matus, thank you for your answer. On Tue, Jul 21, Matus UHLAR - fantomas wrote: > On 21.07.20 09:41, Dieter Bloms wrote: > > we use the sslbump feature and it works very well. > > But some sites can't be reached because of missing intermediate > > certificate. > > > > In squid.conf we have configured the following parameters: > > > > --snip-- > > # allow fetching of missing intermediate certificates > > acl fetch_intermediate_certificate transaction_initiator certificate-fetching > > http_access allow fetch_intermediate_certificate > > cache allow fetch_intermediate_certificate > > cache deny all > > --snip-- > > > > and fetching the intermediate certificate works for sites like: https://incomplete-chain.badssl.com/ > > > > but for some sites like https://mycase.cloudapps.cisco.com/ > > squid doesn't fetch the intermediate certificate and returns X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY > > > > In my eyes the certificate of mycase.cloudapps.cisco.com contains an AiA > > record. > > > > output of openssl on certificate of mycase.cloudapps.cisco.com > > --snip-- > > Authority Information Access: > > CA Issuers - URI:http://trust.quovadisglobal.com/hydsslg2.crt > > OCSP - URI:http://ocsp.quovadisglobal.com > > --snip-- > > > > so does anybody see what's the reason, why squid doesn't download the > > intermediate certificate for mycase.cloudapps.cisco.com ? > > squid can't download certificates other than the website provides. that's not true: from site: https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit "Squid-4 is capable of downloading missing intermediate CA certificates, like popular browsers do." > if a website does not provide valid certificate chain, it's up to the client > to produce an error. With browser, you can allow the certificate explicitly. with ssbump the browser doesn't see the origin webserver certificate, but sees the squid created one. > It is also possible that browser has the intermediace certificate > remembered. as I already wrote, we use sslbump. > testing certificate for mycase.cloudapps.cisco.com shows only one > certificate I can see: > > Certificate chain > 0 s:C = US, ST = California, L = San Jose, O = "Cisco Systems, Inc.", CN = mycase.cloudapps.cisco.com > i:C = US, O = HydrantID (Avalanche Cloud Corporation), CN = HydrantID SSL ICA G2 > > the HydrantID SSL ICA G2 certificate seems to be missing here. > > > > -- > Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Windows 2000: 640 MB ought to be enough for anybody > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
