[squid-users] SSL3_READ_BYTES:sslv3 alert certificate unknown
Yuri Voinov
yvoinov at gmail.com
Wed Oct 28 10:57:06 UTC 2015
28.10.15 16:47, Amos Jeffries пишет:
> On 28/10/2015 11:35 p.m., Yuri Voinov wrote:
>> Hi gents.
>>
>> I think, all of you who use Bump, seen much this messages in your
>> cache.log.
>>
>> SSL3_READ_BYTES:sslv3 alert certificate unknown
>>
>> AFAIK, no way to identify which CA is absent in your setup.
>>
>> I propose to consider the following questions: how do properly support
>> SSL proxy, if you can not identify the problem certificates? Telepaths
>> sunbathing in Bali. The procedure, which currently can not quickly and
>> in any way to effectively determine such a certificate.
>>
>> At the moment, the situation is as follows. SSL library - a thing in
>> itself, it runs by itself and does not write any logs. Squid - itself
>> and any useful information on the library does not receive but obscure
>> diagnostic messages. The possibility in any way specify the SSL library
>> diagnostic messages we have, and, as I understand it, will not.
>>
>> So, any ideas?
> Make sure Squid is sending the whole CA chain to the remote end?
I think so, "From the remote end". If we have web-server with CA, which
is not exists on our proxy, we must install it (which means "trust
them", yea?) in our proxy manually.
I have idiotic idea - Squid fetch remote CA and offer us to trust and
install interactively. :) This is, of course, clinically idiotism. :)
But - to support real Squid installation with thoursands users, I really
want to know, which CA's not exists from my side.
Intermediate CA's is no matter - if we have root CA already, fetch
intermediate chain is not big problem.
In this case, however, we faced unknown root CA exactly.
Yes?
And so what?
Yea, I can kick all users, watch huge access.log, trying to identify
problem URL row by row, execute curl/wget.
And?
Do this procedure every day?
This is not the best a waste of time.
Of course, the OpenSSL developers have to tear off his hands. But what
about us, smart and handsome? ;)
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151028/6079d531/attachment.html>
More information about the squid-users
mailing list