[squid-users] A bunch of SSL errors I am not sure why

Wed Jan 18 17:40:39 UTC 2017

Thanks for the detail Amos,

I noticed that couple major Root CA certificates was revoked so it could be one thing.
And can you give some more details on how to fetch the certificated using the openssl tools?
(Maybe redirect towards an article about it)
I think that if some sites are have issues then a simple script that will run the openssl tools to fetch the certificates and add them to the system can be useful for those which are running 3.5 and yet to jump into the 4.0 testing.
I can write the script that will do come of the work for these admins.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il

-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Amos Jeffries
Sent: Wednesday, January 18, 2017 6:06 PM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] A bunch of SSL errors I am not sure why

On 19/01/2017 3:29 a.m., Sameh Onaissi wrote:
> Hello Eliezer, all
> 
> Sorry for the late reply.
> 
> When I configure the browser to access a non intercept port, the errors do not show up and the site is accessed without a problem.
> 
> The client machine has the .crt file installed, but still shows the error.
> 
> Other pages with errors:
> http://pasteboard.co/nA20FD7om.png
> http://pasteboard.co/nA2yWRyTE.png
> 
> Here is the second page in a browser without an intercepted port:
> http://pasteboard.co/nA39CEFGU.png
> 
> 
> Thanks in advance.
> Some of these sites are used to pay company bills, so it’s important to get this issue resolves ASAP.

I assume from that first part that the most important of these sites are a small enough set to deal with as a special case without becoming a maintenance nightmare.

The error messages both show that Squid at least cannot find one of the CA required to verify the servers cert.

Soo...
 you can probably use the openssl client tool to identify and fetch the certs manually; then

1a) add the root CA (only if needed) into your machines global CA set,

1b) add any intermediary certs to the file Squid loads through sslproxy_foreign_intermediate_certs directive.
<http://www.squid-cache.org/Doc/config/sslproxy_foreign_intermediate_certs/>

OR

2) create a cache_peer to the domains server port 443, using the originserver option and sslcafile= option to specify what its CA chain is supposed to be.
<http://www.squid-cache.org/Doc/config/cache_peer/>

> Worth mentioning that this was not a problem about 10 days ago.

Nod, these types of things can appear out of nowhere as servers certs expire or get blacklisted, ciphers etc suddenly get rejected by browsers as insecure. TLS advocates deny it, but F*ups happen far too often in reality when dealing with certs.

> 
> 
> * Try the latest Squid-4, which can auto-download intermediate certificates.
> 
> Is squid-4 stable for production?
> 

Sorry I missed this in your earlier post.

Well strictly speaking no. It still has a handful of critical bugs to be tracked down and quashed. But whether those affect you, or if they do whether its worth an occasional crash to avoid these SSL isues is a different matter.

Amos

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users