[squid-users] SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Amos Jeffries squid3 at treenet.co.nz
Tue Sep 5 11:01:59 UTC 2017

On 05/09/17 04:20, erdosain9 wrote:
> Hi.
> Im having a lot of this in cache.log... is this normal?? The https is access
> is working fine... but i have those error.
 > 2017/09/04 13:10:58 kid1| Error negotiating SSL on FD 467:
 > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate 
 > failed (
 > 1/-1/0)

Yes and no. "Normal" is relative to why it is happening.

eg if your network is under attack it is "normal" to see signs like 
this, but hardly desirable.

On the other hand if the CA certificate being verified has expired or 
revoked it is both normal and desirable to see these instead of letting 
the traffic though. Opinions on that differ a lot though.

* Check that your Squid machines ca-certificates are up to date with the 
latest ones available. That can make your proxy unable to deal with CA 
changes unless you stay up to date. Regular updates are on the order of 
weeks, but can happen with no notice if any CA is breached or goes rogue.

* Check that your crypto library is also the latest available. Some 
types of change in TLS extensions can lead to cert errors if the library 
does not understand what fields in the server cert mean. This also helps 
prevent many cipher related errors.

* Take a closer look at the HTTP(S) transaction using the mentioned FD 
number. That may need a section 11,2 trace to see the URL and server 
names and/or IP. See if the openssl command line tools can tell you what 
is non-verifiable about the server cert.

* If it turns out to be an intermediary cert not known by Squid, check 
carefully whether you actually want to trust it. If so you can use 
sslproxy_foreign_intermediate_certs to load it explicitly (or Squid-4 
should auto-download as needed).

It is rarely any other type of occurance that can be solved by Squid. 
The above should provide some clues to further debugging if necessary.


More information about the squid-users mailing list