[squid-users] SSL3_GET_SERVER_CERTIFICATE failed

Amos Jeffries squid3 at treenet.co.nz
Thu Dec 7 08:14:35 UTC 2017


On 07/12/17 20:47, G~D~Lunatic wrote:
> my squid is a transparent proxy.
> the cache.log shows that
> 2017/12/07 15:42:53 kid1| Error negotiating SSL connection on FD 175: 
> Closed by client
> 2017/12/07 15:42:54 kid1| Error negotiating SSL on FD 95: 
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate 
> verify failed (1/-1/0)
> 2017/12/07 15:42:55 kid1| Error negotiating SSL connection on FD 124: 
> Closed by client
> 2017/12/07 15:42:56 kid1| Error negotiating SSL on FD 52: 
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate 
> verify failed (1/-1/0)
> 
> 
> what's the problem? thank you

Four log lines talking about four different connections (FD's).

Two of them are "Closed by client".

Two of them "certificate verify failed" for the remote server certificate.


For those server certificates the relevant options are the sslproxy_* or 
tls_outgoing_options directives in your squid.conf.

* Maybe your system CA certificates are outdated, check for that and update.

* Maybe the server cert is missing intermediates certs from its chain. 
In Squid-3.5 use sslproxy_foreign_intermediate_certs to inform squid of 
extra intermediate certs that might be missing.

* Maybe the server cert is actually invalid. That happens a lot, 
especially on dodgy traffic.


Amos


More information about the squid-users mailing list