[squid-users] SSL bump not working w/some sites.

Amos Jeffries squid3 at treenet.co.nz
Tue Nov 8 03:05:58 UTC 2016

On 8/11/2016 3:40 p.m., L. A. Walsh wrote:
> Alex Rousskov wrote:
>> On 11/07/2016 11:59 AM, L. A. Walsh wrote:
>>>    (71) Protocol error (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)
>>>    Self-signed SSL Certificate in chain: /C=US/O=Entrust, Inc./OU=See
>>> www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized
>>> use only/CN=Entrust Root Certification Authority - G2
>> ... because your Squid/OpenSSL setup does not trust the above root
>> certificate at the end of the server certificate chain.
> ---
>     Weird.  I don't know who they are... it is on/for a US gov
> website...   Given all the hacks going on recently, not so sure
> I should just accept it.

It should be safe enough to check that your system CA set is up to date.
There were changes as recently as a week ago.

You will only have to face the tricky decisions about whether to trust
the CA if the problem remains when you have the latest globaly trusted
set installed.

You could try the sslproxy_foreign_intermediate_certs option Yuri
mentioned. But I think it will not help in this particular case since
Squid will trust those foreign certs only if they are used as
intermediate certs in a chain, this error apears to be about a root cert.


More information about the squid-users mailing list