On 26/01/22 06:12, Eliezer Croitoru wrote:
Hey, I have recently seen more then one site that doesn't provide the full CA bundle chain. An example: https://www.ssllabs.com/ssltest/analyze.html?d=www.cloudschool.org https://www.ssllabs.com/ssltest/analyze.html?d= certificatechain.io I wanted to somehow get this issue logged properly. Currently squid sends the client a customized 503 page and the next line in cache.log: 2022/01/25 19:01:25 kid1| ERROR: negotiating TLS on FD 26: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (1/-1/0) Were there any improvement in this area in 5.x or 6.x brances?
"in this area" yes. Both versions have significant bug fixes around the chain handling. As usual the later the Squid version the better SSL-Bump and TLS "cutting edge" features work.
YMMV whether those changes help in your particular instances of the error. Some are caused by TLS certs just being invalid.
And also the logging is very uninformative regarding the culprit of the issue.
That has improved a little in later versions. It is part of the ongoing work to figure out what is going on and what needs to be logged to understand the actions without facing a flood of crypto information.
I would have expected that the remote host ip:port and sni would be logged as well in the above mentioned line.
SNI is one of the details TLS/1.3 encrypts now :(
Currently I do not know about a way to identify from the logs these specific sites.
The "ERROR:" message gives you the FD number of the relevant client connection. With that "FD nn" you can scan the preceding cache.log in sections:
5,9 50,9 51,3 (generic I/O) 83,7 (security I/O) 11,2 (HTTP messaging for CONNECT tunnel and cert fetches, if any) Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
