Search squid archive

Re: generate-host-certificates=on fails to generate certificates for _some_ hosts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Alex,
Thanks for the help. Comments inline.


On Jan 13, 2021, at 2:23 PM, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:

On 1/13/21 4:33 PM, Greg Hulands wrote:

I am setting up squid 5.0.3 and during testing I have found some
websites fail to have their certificates generated correctly. I am
able to go to sites like YouTube.com and have the certificates for
that be generated correctly, but when I try to go to some others,
like arstechnica.com, they fail to generate and return the CA cert
that squid is using to sign certificates with.

Just to double check: Are you sure that the certificate the client gets
is the configured CA certificate? For example, do the two certificates
have the same fingerprint?

Yes, I verified it’s the same certificate - fingerprints are a match.


I turned the logging up on certificate stuff to 5 and have the cache log
from trying to make a request
here: https://gist.github.com/ghulands/f89b49bf180bfac86c98c46c4260f1eb

The posted snippet shows successful TLS negotiation with the origin
server (FD 23) and a subsequently failed negotiation with the client (FD
21). The latter may have failed because the client did not like the
certificate generated by Squid, but I did not check the exact failure
reason carefully.

The snippet has no information about Squid sending the (generated)
certificates to the client, but Squid appears to receive some generated
certificate from the helper (crtGenRq3180846).

* If you are sure that the client gets a wrong certificate from Squid,
then I recommend posting an ALL,9 log of the problematic transaction.
With some luck, we may be able to see what went wrong with certificate
generation (or virgin certificate validation??).


I can see it generates the certificate correctly, but couldn’t identify why it didn’t return the cert to the client.


* Otherwise, I recommend double checking what certificate the client
gets. If the client gets the correct generated certificate, then the
problem is not in certificate validation or generation.

Posting the certificate that the client actually gets may help a lot
with the triage as well.

The certificate that gets returned is in the logs as it’s the CA cert.

Thanks,
Greg



HTH,

Alex.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux