[squid-users] SSL Bump and Certificate issue - RapidSSL Intermediate Cert

stylemessiah adrian.m.miller at gmail.com
Wed Mar 1 17:03:47 UTC 2017


Thanks Amos for the info, appreciate your tireless assistance for us
numpties :)

On 2 Mar. 2017 4:06 am, "Amos Jeffries [via Squid Web Proxy Cache]" <
ml-node+s1019090n4681642h47 at n4.nabble.com> wrote:

> On 1/03/2017 4:58 a.m., stylemessiah wrote:
>
> > This is driving me nuts, its the only issue ive found running ssl bump
> on my
> > home network for eons
> >
> > I cant see image thumbnails on xda-developers...
> >
> > When i access a thread with them, i get text links, not thumbnails, and
> if i
> > click on the links i get the following:
> >
> >
> >     (71) Protocol error (TLS code:
> > X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
> >
> >     SSL Certficate error: certificate issuer (CA) not known:
> > /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
> >
> > I figured out by googling how to (i hope) trace the problem certificate
> via
> > s_client:
> >
> >
> > OpenSSL> s_client -showcerts -verify 32 -connect
> dl.xda-developers.com:443
> > verify depth is 32
> > CONNECTED(0000012C)
> > depth=0 CN = *.xda-developers.com
> > verify error:num=20:unable to get local issuer certificate
> > verify return:1
> > depth=0 CN = *.xda-developers.com
> > verify error:num=21:unable to verify the first certificate
> > verify return:1
>
> That command you used does not send data through the proxy. So that
> confirms that the servers TLS is broken in a way unrelated to Squid.
>
>
>
> > ---
> > Certificate chain
> >  0 s:/CN=*.xda-developers.com
> >    i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
> ...
>
> > ---
> > Server certificate
> > subject=/CN=*.xda-developers.com
> > issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
> > ---
> > No client certificate CA names sent
> > Peer signing digest: SHA512
> > Server Temp Key: ECDH, P-256, 256 bits
> > ---
> > SSL handshake has read 2067 bytes and written 302 bytes
> > Verification error: unable to verify the first certificate
>
> >
> > Ive found the intermediate bundle from RapidSS, and added it to my
> existing
> > pem bundle...no change
>
> You need to locate the root CA and/or intermediate CA certificates used
> to sign the domain servers certificate.
>
> You then need to identify *why* they are not being trusted by your OS
> library.
>
> Be sure to determine whether the CA which is missing is actually
> trustworthy before adding it to your trusted set. More than a few of the
> CA which are around are not trusted because they have been hacked or
> caught signing forged certificates they should not have.
>
>
> > Added as a separate pem i.e. sslproxy_foreign_intermediate_certs
> > /cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem...no change
> >
> > My sslbump related config lines are:
> >
> > http_port 127.0.0.1:3128 ssl-bump generate-host-certificates=on
> > dynamic_cert_mem_cache_size=10MB cert=/cygdrive/e/Squid/etc/ssl/myCA.pem
>
> > capath=/cygdrive/e/Squid/etc/ssl
> > cafile=/cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem
> > tls-dh=/cygdrive/e/Squid/etc/ssl/dhparam.pem
> > options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE
>
> PS.  EECDH will not work unless you configure a curve name in the
> tls-dh= option. Just having dhparam.pem alone will only enable the less
> secure DH ciphers.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> [hidden email] <http:///user/SendEmail.jtp?type=node&node=4681642&i=0>
> http://lists.squid-cache.org/listinfo/squid-users
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-
> Bump-and-Certificate-issue-RapidSSL-Intermediate-Cert-
> tp4681635p4681642.html
> To unsubscribe from SSL Bump and Certificate issue - RapidSSL Intermediate
> Cert, click here
> <http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4681635&code=YWRyaWFuLm0ubWlsbGVyQGdtYWlsLmNvbXw0NjgxNjM1fDE5ODY3MjIyMDI=>
> .
> NAML
> <http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>




--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-Bump-and-Certificate-issue-RapidSSL-Intermediate-Cert-tp4681635p4681643.html
Sent from the Squid - Users mailing list archive at Nabble.com.


More information about the squid-users mailing list