[squid-users] How to suppress SQUID_X509_V_ERR_DOMAIN_MISMATCH error for known domains?
Yuri Voinov
yvoinov at gmail.com
Sat Mar 26 20:05:17 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
In additional, this is very old problem:
http://answers.microsoft.com/en-us/windows/forum/windows8_1-update/ssl-problem-with-windows-update-error-0x800b0109d/df2c5206-7304-4e42-ac4b-40d00bfbca87?auth=1
Damned M$.
27.03.16 2:01, Yuri Voinov пишет:
>
> Found and solved.
>
> root @ cthulhu / # openssl s_client -connect fe2.update.microsoft.com:443
> CONNECTED(00000003)
> depth=1 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation,
> CN = Microsoft Update Secure Server CA 2.1
> verify error:num=20:unable to get local issuer certificate
> verify return:0
> ---
> Certificate chain
> 0
>
s:/C=US/ST=Washington/L=Redmond/O=Microsoft/OU=DSP/CN=fe2.update.microsoft.com
> i:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft
> Update Secure Server CA 2.1
> 1 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft
> Update Secure Server CA 2.1
> i:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft
> Root Certificate Authority 2011
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIF5TCCA82gAwIBAgITMwAAAFRKWJwXUQHpvwAAAAAAVDANBgkqhkiG9w0BAQsF
> ADCBhDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT
> B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEuMCwGA1UE
> AxMlTWljcm9zb2Z0IFVwZGF0ZSBTZWN1cmUgU2VydmVyIENBIDIuMTAeFw0xNTEy
> MTYxOTM4MDdaFw0xNjA1MTYxOTM4MDdaMHkxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
> EwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMRIwEAYDVQQKEwlNaWNyb3Nv
> ZnQxDDAKBgNVBAsTA0RTUDEhMB8GA1UEAxMYZmUyLnVwZGF0ZS5taWNyb3NvZnQu
> Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt9yv6P/FzJvxW5Wx
> /klFQ1o9BO0qyAr7u5nYeLbGiwnVOSj8qIZ6t4GoqHq6spDGuqFfRF0u/eeZY0bq
> hncHjJHm4YZ9KHOvhObBJ0fHbTyyyXRYxHe1rk+4o4M1SszvAviY2zGKvc6Euik9
> p3erPxocB2nwbEn82JkNxS0UjcmKpUDmFNYMe5O+MJ3ngKCv62SbmJXAH3ZWq7yJ
> xNTgQjrXCKHxVDmC2TrC2f7/35gGH3OksOthD9zCkKTw+y+pJ0n3AO7ahrdj+pB4
> uyQzb0K077xeAIY54eoTuhL2d3vDCDwt4m0YJccl464IGjtF99nt8DlRriGig5Wg
> T8+28QIDAQABo4IBWDCCAVQwDgYDVR0PAQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsG
> AQUFBwMBMB0GA1UdDgQWBBRf9/DNbWTCucVV/ag9JpVQ+JLldjAfBgNVHSMEGDAW
> gBTS8j2EdIYbUIWqXeWlB5rwR9MuaTBoBgNVHR8EYTBfMF2gW6BZhldodHRwOi8v
> d3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNyb3NvZnQlMjBVcGRhdGUl
> MjBTZWN1cmUlMjBTZXJ2ZXIlMjBDQSUyMDIuMS5jcmwwdQYIKwYBBQUHAQEEaTBn
> MGUGCCsGAQUFBzAChllodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2Nl
> cnRzL01pY3Jvc29mdCUyMFVwZGF0ZSUyMFNlY3VyZSUyMFNlcnZlciUyMENBJTIw
> Mi4xLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQBGJdsEVpCN
> VD7PUYDopBFCAN/t8n4TZ4Y8lQvdT4qtWFKvucqNR2clZnXg3KB0D7V8/lr4kqGi
> 8t089SuSnnEnIREQhrf3KMryJZiU/5dt9UejThYYrjoVtFOGXhQit7fG2lQyOp9a
> riHf+OuXAv6UZXW2Ina6vUcxWk7GrupSDdWfROv1ZUUEj5wmbJGOfh/Oc7Nkzbnj
> wLl62h9hix4fwP8XdKp2uWXAkPjgjAH3SK9wDSOm5L6hR9crbUikowoEC5XYX+gh
> 8kTED8kaSbVoyGIDR+gTtm7F4S99W8ecI2GSeZkhawFC3lbtpE9P5LfrStSJL809
> yUWUCwo1xTz12Iwo8PXZk8XiId+f/KxxFMNjMDG/FZRUFfNMWU10ijqBlI4Nlovk
> pV9Fhpfny75cScJNZLij5FFiLHZuYzfGhejDBmpXweBpV6VLe9RNoLHmgBVTjYBa
> nzLa6r0M3ICnXCtX8h5JNcOPhvBFb43Z6+6CQP6jM2SqXSQUg3TwArBe0deaoYCI
> fJpJJTKqo88FeURLpgfemPa3sXXUKqKWglYejkCYM6Kk8IPAa8w3JnsGWg5F5MJa
> 8zp43RouY5+VBZLAF+B1HZGEwyEXUhzZshl9QAmMs9YrXooFqP9rnyAP8ehNQdmC
> Tl1/2ofmuAUavN8AQfh1Jn8Nm+hPnADN+w==
> -----END CERTIFICATE-----
>
subject=/C=US/ST=Washington/L=Redmond/O=Microsoft/OU=DSP/CN=fe2.update.microsoft.com
> issuer=/C=US/ST=Washington/L=Redmond/O=Microsoft
> Corporation/CN=Microsoft Update Secure Server CA 2.1
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 3503 bytes and written 649 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES128-SHA256
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : AES128-SHA256
> Session-ID:
> 7B4C0000F911C68C6B1C235D7E5DB1C001A481D27EF8B594EB7F60A73904A4A7
> Session-ID-ctx:
> Master-Key:
>
7BC9333DDD64858E393E2837FF645DB131A868322766771BDF4EBD3AE49A0AD422852AC787008F0A0CD60BC8EA5A0E75
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1459021942
> Timeout : 300 (sec)
> Verify return code: 20 (unable to get local issuer certificate)
> ---
> read:errno=131
>
> The damned M$ uses intermediate CA which is absent in CA bundle by
> default on fe2.update.microsoft.com.
>
> In additional with Akamai CN mismatch.
>
> Thanks all!
>
> 26.03.16 23:25, Alex Rousskov пишет:
> > On 03/26/2016 04:53 AM, Yuri Voinov wrote:
> >> http://i.imgur.com/kxrOEVd.png
> >>
> >> How to suppress this? It stops WU right now.
>
>
> > Does the ssl::certDomainMismatch ACL work to bypass the
> > SQUID_X509_V_ERR_DOMAIN_MISMATCH error?
>
> > If not, then just as a triage experiment (and not for production use!),
> > does the following bypass the SQUID_X509_V_ERR_DOMAIN_MISMATCH error?
>
> > sslproxy_cert_error allow all
>
>
> > Alex.
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJW9ut9AAoJENNXIZxhPexGSYYH/1bXvCHmGSxGcNi6/rCQyCkn
gZf4Bi+ot5BEIxsCD6TpW/sZhfwbfYqY+6P+4ofrXPCxn71POW/F7B8X59qxxn74
KdkxXZ6MYXIFVPYEtU9xKhD1vCU+X/iLe/bFZAs+PNZ4XShw3309EHxPvmoQ8MCW
NKT/hKGe/OxY09E0rolBKBU5VnpmcFu3EP7U3nZbrmSOvNvyK1ni+UKZgNNMUg2l
XmYuraeoe93QyC+TsbZnNSC2oH/ANc+wR3EDTrjmdoidtl/qV1tH7+lr5BaxrLIu
ka9t8/pAkz6UwcqZ2ZTYe4MKm9gjOzDvF1QjoTZtpho/Z/0v5A5Y8rekxNUjQJI=
=9FC2
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160327/ded1d4fc/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160327/ded1d4fc/attachment-0001.key>
More information about the squid-users
mailing list