[squid-users] X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY error with transparent proxy configured with peek and splice

Sébastien Damaye sebastien at damaye.fr
Mon Apr 4 17:11:56 UTC 2016


Hi community,

I have setup Squid as transparent proxy (iptable is taking care of
redirecting 80/tcp and 443/tcp traffic to Squid) with peek and splice on
a Debian Jessie server to perform SSL inspection. Below is the
interesting part of my squid.conf file:

http_port 3130
http_port 3128 intercept
https_port 3129 intercept ssl-bump \
    cert=/etc/squid/ssl_cert/myCA.pem \
    generate-host-certificates=on \
    dynamic_cert_mem_cache_size=4MB \
    options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE \
    dhparams=/etc/squid/ssl_cert/dhparam.pem

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl nobumpSites ssl::server_name "/etc/squid/domain.nobump"

ssl_bump peek step1 all
ssl_bump peek step2 nobumpSites
ssl_bump splice step3 nobumpSites
ssl_bump bump

sslproxy_cipher
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

The SSL inspection works fine for the majority of the websites (I
populate domain.nobump with some domains from time to time) but I had a
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY error that I'm not able to
fix while visiting https://blog.kaspersky.com. I have added
".blog.kaspersky.com" in my domain.nobump file but I still can't visit
the website.

Could you please help? Many thanks in advance for your inputs.

-- 
Cordialement/Regards,

Sébastien Damaye
PGP keyID: 0x59B1D7DE


More information about the squid-users mailing list