[squid-users] SSL3_READ_BYTES:sslv3 alert certificate unknown

Amos Jeffries squid3 at treenet.co.nz
Wed Oct 28 13:55:05 UTC 2015

On 28/10/2015 11:57 p.m., Yuri Voinov wrote:
> 28.10.15 16:47, Amos Jeffries пишет:
>> On 28/10/2015 11:35 p.m., Yuri Voinov wrote:
>>> Hi gents.
>>> I think, all of you who use Bump, seen much this messages in your
>>> cache.log.
>>> SSL3_READ_BYTES:sslv3 alert certificate unknown
>>> AFAIK, no way to identify which CA is absent in your setup.
>>> I propose to consider the following questions: how do properly support
>>> SSL proxy, if you can not identify the problem certificates? Telepaths
>>> sunbathing in Bali. The procedure, which currently can not quickly and
>>> in any way to effectively determine such a certificate.
>>> At the moment, the situation is as follows. SSL library - a thing in
>>> itself, it runs by itself and does not write any logs. Squid - itself
>>> and any useful information on the library does not receive but obscure
>>> diagnostic messages. The possibility in any way specify the SSL library
>>> diagnostic messages we have, and, as I understand it, will not.
>>> So, any ideas?
>> Make sure Squid is sending the whole CA chain to the remote end?
> I think so, "From the remote end". If we have web-server with CA, which
> is not exists on our proxy, we must install it (which means "trust
> them", yea?) in our proxy manually.
> I have idiotic idea - Squid fetch remote CA and offer us to trust and
> install interactively. :) This is, of course, clinically idiotism. :)

That is what the Browsers do. It has been suggested to write a cert
validator that does it too.

> But - to support real Squid installation with thoursands users, I really
> want to know, which CA's not exists from my side.
> Intermediate CA's is no matter - if we have root CA already, fetch
> intermediate chain is not big problem.
> In this case, however, we faced unknown root CA exactly.
> Yes?

I doubt. Chains do not have length limits and IIRC you can't know that
it is a root CA until you actually have it and see that it is
self-signed. At which point it is not "certificate unknown" anymore.

What is missing is just some CA in the chain. It needs to be located
somehow, only then can the decision happen about whether to trust or not
and see if another up the chain is needed too.

> And so what?

So by walking the chain and filling in as needed the cert validator
helper can probably fill the whole sequence in and reach a root CA that
is already trusted and tells you the found ones can be too. That is what
the Browsers do.


More information about the squid-users mailing list