[squid-users] V3.5.12 SSL Bumping Issue with one Website

squid at data-core.org squid at data-core.org
Wed Jan 13 17:10:21 UTC 2016 

Hello together,

I am using Squid 3.5.12 with Kerberos Authentication only and ClamAV  
on Debian Jessie.

My Proxy is working very nice, but now I've found an issue with just  
one SSL Website.

It would be nice to know if others can reproduce this Issue.

Target website is: https://www.shop-fonic-mobile.de/

While trying to access this website, a blank page is displayed without  
any source code in it.

Cache Log says on each attempt:
Squid 2016/01/13 17:43:43 kid1| Error negotiating SSL on FD 22:  
error:14090086:SSL routines:ssl3_get_server_certificate:certificate  
verify failed (1/-1/0)

Access Log for each attempt:
1452703599.547      0 10.0.0.4 TCP_DENIED/407 4189 CONNECT  
www.shop-fonic-mobile.de:443 - HIER_NONE/- text/html
1452703599.832    272 10.0.0.4 TAG_NONE/200 0 CONNECT  
www.shop-fonic-mobile.de:443 MYUSER HIER_NONE/- -
1452703599.888     52 10.0.0.4 TCP_MISS/503 402 GET  
https://www.shop-fonic-mobile.de/ MYUSER HIER_DIRECT/85.158.6.195  
text/html

SSL Bumping generated a valid certificate for this site using my internal CA.

I can reproduce the error only on this website everything else is  
working nicely and if Squid can't validate an external SSL Certificate  
it display an error of course.

I currently fixed it by adding it to my SSL_TrustedSites ACL.


This is my Bump config:

http_port 8080 ssl-bump generate-host-certificates=on  
dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl/myca.pem
ssl_bump splice localhost
ssl_bump bump all
sslproxy_cert_error allow SSL_TrustedSites
sslproxy_cert_error deny all


Expected behavior of Squid: If Squid can't validate an SSL Certificate  
then an error should be displayed as it does on all other sites with  
invalid certificates.
But it seems that the first check of squid recognizes the Certificate  
as valid otherwise it would display an error and squid generates a  
valid cert for the client and then squid seems to no beeing able to  
validate it at this point again.

The Target Website SSL Chain is as follows:
CA  <- Part of the Ca certificates
-- Intermediate <- not a part of the ca-certificates
-----website

So I believe somehow on the initial request squid can validate the  
full chain and as soon as the client receives the generated cert it  
can't look up the whole chain because it trys to validate against the  
intermediate CA only and lost the path to the Root CA and fails of  
course. Again only the Root CA is known by the system (ca-certificates).

Please let me know if someone can reproduce this Issue.

BTW:
Found another Issue in Squid 3.5.12 regarding Error Messages,  
"mailto:" links which are generating an error mail do not work  
anymore. Maybe this is related to Kerberos Authentication which maybe  
makes the url encoded string longer than before. I've found out that  
somewhere at the last part of the urlencoded link the error is in.  
Couldn't pin point it.

Best regards,

Enrico

More information about the squid-users mailing list