[squid-users] Using dont_verify_peer

Rafael Akchurin rafael.akchurin at diladele.com
Thu Apr 28 20:56:29 UTC 2016

Hello Bruce,

According to https://www.ssllabs.com/ssltest/analyze.html?d=agentimediaservices.com the server does not send the whole chain of certificates and imho squid cannot automatically download the intermediate certificates like browsers do.

You need to manually add them to the store. Currently we do it like http://docs.diladele.com/faq/squid/fix_unable_to_get_issuer_cert_locally.html

I hope Yuri knows everything about adding certificates to the store and will reply shortly :)

If you were using explicit proxy usually making agentimediaservices.com non bumpable would be enough as squid would simply pump bytes from browser to site after allowed CONNECT; but as you have intercepting squid - I suspect it needs to establish a new connection to the remote site and thus openssl code that is used when establishing connections gets a change to fail the connection to a site with incomplete certificate chain. IMHO :)

I am also interested how to bypass it in intercepted scenario.

Best regards,
Rafael Akchurin
Diladele B.V.

From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Markey, Bruce
Sent: Thursday, April 28, 2016 10:33 PM
To: squid-users at lists.squid-cache.org
Subject: [squid-users] Using dont_verify_peer

I didn't really get an answer previously so I did some research and now I'm not quite sure what to do.

Problem is I'm getting a lot of these:

The following error was encountered while trying to retrieve the URL: https://*.agentimediaservices.com/*<https://%2A.agentimediaservices.com/*>

Failed to establish a secure connection to

The system returned:

(71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

SSL Certficate error: certificate issuer (CA) not known: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

Your cache administrator is webmaster<mailto:webmaster?subject=CacheErrorInfo%20-%20ERR_SECURE_CONNECT_FAIL&body=CacheHost%3A%20LNP-Proxy%0D%0AErrPage%3A%20ERR_SECURE_CONNECT_FAIL%0D%0AErr%3A%20(71)%20Protocol%20error%0D%0ATimeStamp%3A%20Thu,%2028%20Apr%202016%2016%3A37%3A14%20GMT%0D%0A%0D%0AClientIP%3A%20192.168.203.24%0D%0AServerIP%3A%2063.240.52.151%0D%0A%0D%0AHTTP%20Request%3A%0D%0ACONNECT%20%2F%20HTTP%2F1.1%0AHost%3A%2063.240.52.151%3A443%0D%0A%0D%0A%0D%0A>.

As I had stated some are "fixable" by adding the url to my broken acl and then not peeking at it. That sometimes works, most of the time not and then I have to add the ip listed to an acl of allowed ips.   This usually works but not in all cases.

That leaves me sort of stuck. I've been having to actually remove folks from the proxy so they could work.  I work for a newspaper and most of the issues lie with the myriad of SEO/Marketing sites/tools these people use. They're horrible.

That leads me to my question of will using that flag make this issue go away?   Granted Im aware it's not the safest I can't deny users access to the sites they need.

I'm running 3.5.16 compiled from source on debian Jessie.  Fully updated.  I'm also confused as to why this is happening.  My ca store is up to date.   I'm confused as to why this is happening.  If I can access all these sites fine without the proxy I'd have to think it's not the cert itself. So it's either debians cert store or something else.  I'm sort of at the end of my knowledge here as to what to troubleshoot.

The other option, though it would be last resort would be to just stop doing anything with https, though all I really wanted was to keep stats on sites visited.

Here is some openssl info.  This leads me to believe its not a squid issue persay, its an openssl issue and or debian issue with certs. But I'm not 100% on that.

bruce at LNP-Proxy:/etc/squid3$ sudo openssl s_client -connect www.agentimediaservices.com:443<http://www.agentimediaservices.com:443> -showcerts
depth=0 C = US, postalCode = 10007, ST = NY, L = New York, street = 195 Broadway, O = OMD USA LLC, OU = IT, OU = Hosted by OMD USA INC, OU = PlatinumSSL Wildcard, CN = *.agentimediaservices.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, postalCode = 10007, ST = NY, L = New York, street = 195 Broadway, O = OMD USA LLC, OU = IT, OU = Hosted by OMD USA INC, OU = PlatinumSSL Wildcard, CN = *.agentimediaservices.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = US, postalCode = 10007, ST = NY, L = New York, street = 195 Broadway, O = OMD USA LLC, OU = IT, OU = Hosted by OMD USA INC, OU = PlatinumSSL Wildcard, CN = *.agentimediaservices.com
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate chain
0 s:/C=US/postalCode=10007/ST=NY/L=New York/street=195 Broadway/O=OMD USA LLC/OU=IT/OU=Hosted by OMD USA INC/OU=PlatinumSSL Wildcard/CN=*.agentimediaservices.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
Server certificate
subject=/C=US/postalCode=10007/ST=NY/L=New York/street=195 Broadway/O=OMD USA LLC/OU=IT/OU=Hosted by OMD USA INC/OU=PlatinumSSL Wildcard/CN=*.agentimediaservices.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
No client certificate CA names sent
SSL handshake has read 1678 bytes and written 599 bytes
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
    Protocol  : TLSv1.2
    Cipher    : RC4-MD5
    Session-ID: 4F9EE34EFA2F6305BBD46D6F367BFDC9F95580A7889D9E1FE91F0F79BA86701F
    Master-Key: F741F597EFC3C837CE52546CC455FFFEBC0F18CCBC74CFB4BE7F1AE3C85EEB9065C39AE50CC525A33C5BD6CCF3D2483A
    Key-Arg   : None
    PSK identity: None
   PSK identity hint: None
    SRP username: None
    Start Time: 1461875411
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)


#Access Lists
acl internal src
acl wireless src

#Ports allowed through Squid
acl Safe_ports port 80
acl Safe_ports port 443
acl SSL_ports port 443

#acls from blacklist
acl allowed dstdomain -i "/etc/squid3/acls/http_allowed.acl"
acl prime dstdomain -i "/etc/squid3/acls/squid-prime.acl"
acl china dst -n "/etc/squid3/acls/ccd-china.acl"
acl india dst -n "/etc/squid3/acls/ccd-india.acl"
acl iran dst -n "/etc/squid3/acls/ccd-iran.acl"
acl nigeria dst -n "/etc/squid3/acls/ccd-nigeria.acl"
acl pakistan dst -n "/etc/squid3/acls/ccd-nigeria.acl"
acl romania dst -n "/etc/squid3/acls/ccd-romania.acl"
acl russia dst -n "/etc/squid3/acls/ccd-russia.acl"
acl syria dst -n "/etc/squid3/acls/ccd-syria.acl"
acl ukraine dst -n "/etc/squid3/acls/ccd-ukraine.acl"
acl uzbekistan dst -n "/etc/squid3/acls/ccd-uzbekistan.acl"
acl ips dst -n "/etc/squid3/acls/broken_ips.acl"
acl blocked dstdomain -i "/etc/squid3/acls/http_blocked.acl"

http_access allow allowed
http_access allow ips
http_access deny blocked
http_access deny prime
http_access deny china
http_access deny india
http_access deny iran
http_access deny nigeria
http_access deny pakistan
http_access deny romania
http_access deny russia
http_access deny syria
http_access deny ukraine
http_access deny uzbekistan

http_access allow internal
http_access allow wireless
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

acl broken_sites ssl::server_name_regex "/etc/squid3/acls/http_broken.txt"

#ssl_bump peek all
ssl_bump peek !broken_sites
ssl_bump splice all
#ssl_bump splice !broken_sites

sslproxy_capath /etc/ssl/certs

sslcrtd_program /lib/squid3/ssl_crtd -s /etc/squid3/ssl_db -M 4MB
sslcrtd_children 32 startup=5 idle=1

#logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni %ssl::>cert_subject %>Hs %<st %Ss:%Sh

#access_log syslog:daemon.info mine
#access_log daemon:/var/log/squid3/test.log mine

http_port 3128 intercept
https_port 3129 intercept ssl-bump cert=/etc/squid3/certs/squid.pem cafile=/etc/squid3/certs/squid.pem key=/etc/squid3/certs/squid.pem  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE


#WCCPv2 items
wccp_version 2
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0 password=LNP1
wccp2_service dynamic 70 password=LNP1
wccp2_service_info 70 protocol=tcp flags=dst_ip_hash priority=240 ports=443

Bruce Markey | Network Security Analyst
717.291.8758 (o) | bmarkey at steinmancommunications.com<mailto:bmarkey at steinmancommunications.com>
8 West King St | PO Box 1328, Lancaster, PA 17608-1328

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160428/41d10760/attachment-0001.html>

More information about the squid-users mailing list