[squid-users] X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY error with transparent proxy configured with peek and splice

Yuri Voinov yvoinov at gmail.com
Mon Apr 4 17:42:18 UTC 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
acl BrokenButTrustedServers2 dstdomain "/usr/local/squid/etc/dstdom2.broken"
acl UnableGetIssuer ssl_error
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
sslproxy_cert_error allow BrokenButTrustedServers2 UnableGetIssuer
sslproxy_cert_error deny all

Something like this.

04.04.16 23:11, Sébastien Damaye пишет:
> Hi community,
>
> I have setup Squid as transparent proxy (iptable is taking care of
> redirecting 80/tcp and 443/tcp traffic to Squid) with peek and splice on
> a Debian Jessie server to perform SSL inspection. Below is the
> interesting part of my squid.conf file:
>
> http_port 3130
> http_port 3128 intercept
> https_port 3129 intercept ssl-bump \
>     cert=/etc/squid/ssl_cert/myCA.pem \
>     generate-host-certificates=on \
>     dynamic_cert_mem_cache_size=4MB \
>     options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE \
>     dhparams=/etc/squid/ssl_cert/dhparam.pem
>
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> acl nobumpSites ssl::server_name "/etc/squid/domain.nobump"
>
> ssl_bump peek step1 all
> ssl_bump peek step2 nobumpSites
> ssl_bump splice step3 nobumpSites
> ssl_bump bump
>
> sslproxy_cipher
>
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>
> The SSL inspection works fine for the majority of the websites (I
> populate domain.nobump with some domains from time to time) but I had a
> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY error that I'm not able to
> fix while visiting https://blog.kaspersky.com. I have added
> ".blog.kaspersky.com" in my domain.nobump file but I still can't visit
> the website.
>
> Could you please help? Many thanks in advance for your inputs.
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXAqd6AAoJENNXIZxhPexGxoMH+wVN/kjAe85+oWbn47j2dyL6
biJKM+CepVzrubilhC4uL6zjTYIsZjD1JXv3VuoY6l+vFbg2Drip76yo9qO49fjh
83afktO+o1YsfxLhbQZjByknCbuDqd5a2Udzo8dhEHTYNV0vieq2tE7QgJvHOxvP
wFC8neOwglKzDq7yD4h30nidVhP6f8gCKwv9MzlXpT+kkHAEM0rn5OnXRDc6UQxm
3mNOJJwo9y5E5gqjJAt7PulNJvqJ+crDoW+T6IgTkxQFD8+tBXy+qyqk7hrTOIF0
DQgiLFL+X5C4YKVtpmBIaxko6pxmmXZAO0LUtLjuj/qNHoc63ZZZIQYgIFvbUgw=
=b8wV
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160404/4dc7c418/attachment.key>

More information about the squid-users mailing list