[squid-users] SSL bump not working w/some sites.

Alex Rousskov rousskov at measurement-factory.com
Mon Nov 7 19:32:12 UTC 2016

On 11/07/2016 11:59 AM, L. A. Walsh wrote:
> I have the SSL bump feature setup and so far have been happy with
> it, but today, I got an error from a website, 

You got an error from Squid, not a website.

> saying they detect my
> ability to monitor my webtraffic and refuse to allow it:

Actually, the error says that Squid refuses to trust the web server.

> The system returned:
>    (71) Protocol error (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)
>    Self-signed SSL Certificate in chain: /C=US/O=Entrust, Inc./OU=See
> www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized
> use only/CN=Entrust Root Certification Authority - G2

... because your Squid/OpenSSL setup does not trust the above root
certificate at the end of the server certificate chain.

> This proxy and the remote host failed to negotiate a mutually acceptable
> security settings for handling your request. It is possible that the
> remote host does not support secure connections, or the proxy is not
> satisfied with the host security credentials.

It is the latter -- "not satisfied with the host security credentials".

If you believe that the missing root certificate is legitimate (i.e.,
your Squid should trust it), then you may want to update your OpenSSL
setup to include that root CA certificate.



More information about the squid-users mailing list