[squid-users] SSL Bump and Certificate issue - RapidSSL Intermediate Cert
Amos Jeffries
squid3 at treenet.co.nz
Wed Mar 1 17:05:29 UTC 2017
On 1/03/2017 4:58 a.m., stylemessiah wrote:
> This is driving me nuts, its the only issue ive found running ssl bump on my
> home network for eons
>
> I cant see image thumbnails on xda-developers...
>
> When i access a thread with them, i get text links, not thumbnails, and if i
> click on the links i get the following:
>
>
> (71) Protocol error (TLS code:
> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>
> SSL Certficate error: certificate issuer (CA) not known:
> /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
>
> I figured out by googling how to (i hope) trace the problem certificate via
> s_client:
>
>
> OpenSSL> s_client -showcerts -verify 32 -connect dl.xda-developers.com:443
> verify depth is 32
> CONNECTED(0000012C)
> depth=0 CN = *.xda-developers.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 CN = *.xda-developers.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
That command you used does not send data through the proxy. So that
confirms that the servers TLS is broken in a way unrelated to Squid.
> ---
> Certificate chain
> 0 s:/CN=*.xda-developers.com
> i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
...
> ---
> Server certificate
> subject=/CN=*.xda-developers.com
> issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
> ---
> No client certificate CA names sent
> Peer signing digest: SHA512
> Server Temp Key: ECDH, P-256, 256 bits
> ---
> SSL handshake has read 2067 bytes and written 302 bytes
> Verification error: unable to verify the first certificate
>
> Ive found the intermediate bundle from RapidSS, and added it to my existing
> pem bundle...no change
You need to locate the root CA and/or intermediate CA certificates used
to sign the domain servers certificate.
You then need to identify *why* they are not being trusted by your OS
library.
Be sure to determine whether the CA which is missing is actually
trustworthy before adding it to your trusted set. More than a few of the
CA which are around are not trusted because they have been hacked or
caught signing forged certificates they should not have.
> Added as a separate pem i.e. sslproxy_foreign_intermediate_certs
> /cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem...no change
>
> My sslbump related config lines are:
>
> http_port 127.0.0.1:3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=10MB cert=/cygdrive/e/Squid/etc/ssl/myCA.pem
> capath=/cygdrive/e/Squid/etc/ssl
> cafile=/cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem
> tls-dh=/cygdrive/e/Squid/etc/ssl/dhparam.pem
> options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE
PS. EECDH will not work unless you configure a curve name in the
tls-dh= option. Just having dhparam.pem alone will only enable the less
secure DH ciphers.
Amos
More information about the squid-users
mailing list