[squid-users] SSL bump not working w/some sites.

Yuri Voinov yvoinov at gmail.com
Mon Nov 7 19:36:21 UTC 2016

It seems simple no intermediate certificate in chain.

Root CA bundle(s) usually does not contain all intermediate CA's,
because of browsers can simple download it from server/site.

Squid can't do auto-downloading (autocomplete) certificate chains and
require to confiugure sslproxy_foreign_intermediate_certs option.

08.11.2016 1:32, Alex Rousskov пишет:
> On 11/07/2016 11:59 AM, L. A. Walsh wrote:
>> I have the SSL bump feature setup and so far have been happy with
>> it, but today, I got an error from a website, 
> You got an error from Squid, not a website.
>> saying they detect my
>> ability to monitor my webtraffic and refuse to allow it:
> Actually, the error says that Squid refuses to trust the web server.
>> The system returned:
>>    (71) Protocol error (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)
>>    Self-signed SSL Certificate in chain: /C=US/O=Entrust, Inc./OU=See
>> www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized
>> use only/CN=Entrust Root Certification Authority - G2
> ... because your Squid/OpenSSL setup does not trust the above root
> certificate at the end of the server certificate chain.
>> This proxy and the remote host failed to negotiate a mutually acceptable
>> security settings for handling your request. It is possible that the
>> remote host does not support secure connections, or the proxy is not
>> satisfied with the host security credentials.
> It is the latter -- "not satisfied with the host security credentials".
> If you believe that the missing root certificate is legitimate (i.e.,
> your Squid should trust it), then you may want to update your OpenSSL
> setup to include that root CA certificate.
> HTH,
> Alex.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

Cats - delicious. You just do not know how to cook them.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161108/b74b56aa/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161108/b74b56aa/attachment.sig>

More information about the squid-users mailing list