[squid-users] How to suppress SQUID_X509_V_ERR_DOMAIN_MISMATCH error for known domains?

Yuri Voinov yvoinov at gmail.com
Sat Mar 26 11:35:42 UTC 2016


Some research:

WU requests IP:

1458991967.489    480 192.168.100.103 NONE_ABORTED/200 0 CONNECT 
134.170.53.30:4
43 - ORIGINAL_DST/134.170.53.30 -

This is MS IP:

http://www.tcpiputils.com/browse/ip-address/134.170.53.30

Which hasn't PRT record:

root @ cthulhu / # dig 134.170.53.30

; <<>> DiG 9.6-ESV-R11-P4 <<>> 134.170.53.30
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 5923
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;134.170.53.30.                 IN      A

;; AUTHORITY SECTION:
.                       78845   IN      SOA     a.root-servers.net. 
nstld.verisign-grs.com. 2016032600 1800 900 604800 86400

;; Query time: 128 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Mar 26 17:32:32 ALMT 2016
;; MSG SIZE  rcvd: 106

Question: What domain name I must splice to WU work?

26.03.16 17:21, Amos Jeffries пишет:
> On 26/03/2016 11:53 p.m., Yuri Voinov wrote:
>> Look at this, gents.
>>
>> http://i.imgur.com/kxrOEVd.png
>>
>> How to suppress this? It stops WU right now.
> That is TLS doing its job correctly. The entire purpose of HTTPS is to
> prevent transactions like that one working.
>
>   microsoft.com != akamai.com
>
> The certificate being presented by the Akamai server is saying
> explicitly that it is not valid for content about miscrosoft.com. A
> different certificate is required for that access.
>
> IME, content that is provided by Akamai is available through domains
> with the CDN load balancing names (eg.
> downloads.microsoft.com.m23.akamai.com) not the Akamai servers internal
> names.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list