[squid-users] TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?
Yuri
yvoinov at gmail.com
Thu Sep 7 21:19:51 UTC 2017
08.09.2017 3:14, L A Walsh пишет:
> Got an error message from squid where I'm doing https-bumping:
>
> --------------------------
> The following error was encountered while trying to retrieve the URL:
> https://help.ea.com/
>
> *Failed to establish a secure connection to 52.0.220.87*
>
> The system returned:
>
> (71) Protocol error (TLS code:
> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>
> SSL Certficate error: certificate issuer (CA) not known:
> /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
> Class 3 Secure Server CA - G4
>
> This proxy and the remote host failed to negotiate a mutually
> acceptable security settings for handling your request. It is possible
> that the remote host does not support secure connections, or the proxy
> is not satisfied with the host security credentials.
>
> --------------------------------
>
> Googling found:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Howto-fix-X509-V-ERR-UNABLE-TO-GET-ISSUER-CERT-LOCALLY-Squid-error-td4682015.html
>
>
> Used openssl.com to get the intermediate certs (2 hosts are referenced
> in parallel chains). The two certs looked like:
>
> -----BEGIN CERTIFICATE-----
> ...hexstuff==
> -----END CERTIFICATE-----
>
>
> Added the certs to a file and that filename to my squid.conf on a line:
>
> sslproxy_foreign_intermediate_certs /etc/squid/ssl_intermediates/cert.pem
>
> restarted squid, but am still getting same error.
>
> Am I missing some obvious step?
Yup :)
# TAG: sslproxy_foreign_intermediate_certs
# Many origin servers fail to send their full server certificate
# chain for verification, assuming the client already has or can
# easily locate any missing intermediate certificates.
#
# Squid uses the certificates from the specified file to fill in
# these missing chains when trying to validate origin server
# certificate chains.
#
# The file is expected to contain zero or more PEM-encoded
# intermediate certificates. These certificates are not treated
# as trusted root certificates, and any self-signed certificate in
# this file will be ignored.
#Default:
# none
>
> Looking for a clue... ;-)
https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit?highlight=%28Ssl%29%7C%28Bump%29%7C%28explicit%29#Missing_intermediate_certificates
>
> Thanks!
> -l
>
>
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170908/10ccf9f7/attachment-0001.sig>
More information about the squid-users
mailing list