[squid-users] V3.5.12 SSL Bumping Issue with one Website
Yuri Voinov
yvoinov at gmail.com
Wed Jan 13 18:19:05 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
I seen the same - just no lough! - with https://instagram.com
:)
Yes, I know, selfie is evil :)
13.01.16 23:10, squid at data-core.org пишет:
>
> Hello together,
>
> I am using Squid 3.5.12 with Kerberos Authentication only and ClamAV
on Debian Jessie.
>
> My Proxy is working very nice, but now I've found an issue with just
one SSL Website.
>
> It would be nice to know if others can reproduce this Issue.
>
> Target website is: https://www.shop-fonic-mobile.de/
>
> While trying to access this website, a blank page is displayed without
any source code in it.
>
> Cache Log says on each attempt:
> Squid 2016/01/13 17:43:43 kid1| Error negotiating SSL on FD 22:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate
verify failed (1/-1/0)
>
> Access Log for each attempt:
> 1452703599.547 0 10.0.0.4 TCP_DENIED/407 4189 CONNECT
www.shop-fonic-mobile.de:443 - HIER_NONE/- text/html
> 1452703599.832 272 10.0.0.4 TAG_NONE/200 0 CONNECT
www.shop-fonic-mobile.de:443 MYUSER HIER_NONE/- -
> 1452703599.888 52 10.0.0.4 TCP_MISS/503 402 GET
https://www.shop-fonic-mobile.de/ MYUSER HIER_DIRECT/85.158.6.195 text/html
>
> SSL Bumping generated a valid certificate for this site using my
internal CA.
>
> I can reproduce the error only on this website everything else is
working nicely and if Squid can't validate an external SSL Certificate
it display an error of course.
>
> I currently fixed it by adding it to my SSL_TrustedSites ACL.
>
>
> This is my Bump config:
>
> http_port 8080 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl/myca.pem
> ssl_bump splice localhost
> ssl_bump bump all
> sslproxy_cert_error allow SSL_TrustedSites
> sslproxy_cert_error deny all
>
>
> Expected behavior of Squid: If Squid can't validate an SSL Certificate
then an error should be displayed as it does on all other sites with
invalid certificates.
> But it seems that the first check of squid recognizes the Certificate
as valid otherwise it would display an error and squid generates a valid
cert for the client and then squid seems to no beeing able to validate
it at this point again.
>
> The Target Website SSL Chain is as follows:
> CA <- Part of the Ca certificates
> -- Intermediate <- not a part of the ca-certificates
> -----website
>
> So I believe somehow on the initial request squid can validate the
full chain and as soon as the client receives the generated cert it
can't look up the whole chain because it trys to validate against the
intermediate CA only and lost the path to the Root CA and fails of
course. Again only the Root CA is known by the system (ca-certificates).
>
> Please let me know if someone can reproduce this Issue.
>
> BTW:
> Found another Issue in Squid 3.5.12 regarding Error Messages,
"mailto:" links which are generating an error mail do not work anymore.
Maybe this is related to Kerberos Authentication which maybe makes the
url encoded string longer than before. I've found out that somewhere at
the last part of the urlencoded link the error is in. Couldn't pin point it.
>
> Best regards,
>
> Enrico
>
>
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWlpUYAAoJENNXIZxhPexGpHAH/0T20R7PapqhQMYethDrnntK
eWpKSIyASFs0dHErJ7YLdvqsY/JXkLH2WLO6B8v16JqaizLzELQZNu8sENCF92nG
1F68GFyWEtqgD5yynOHsxVwY2wrNInV1FeC3Ll+iwP5tZKcU4dN/GZotzUZdvkMr
FNLNjzp03bXCq9kM+mvOqD0iaYi+kZjliwKQ6LiuzF0ItFsJlOL/eR5y9oAdgU5N
HE7jTEt3DU1oXZp48QKKOLDj2LfQuQbhCcZJ/XmAL9mZePvJeEf9JaRka2Qz6M1U
0Nl/Mh2oDplZhobmVRSNLGa+iyb/pbCtwX7cUbLkpiagb9aZwaHWc8Jv+kv40dw=
=2ClN
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list