[squid-users] Squid 4 and missing intermediate certs

Mon Jan 29 09:48:50 UTC 2018

On 26/01/18 17:50, Alex Rousskov wrote:
> On 01/26/2018 02:30 AM, Alex Crow wrote:
>
>> I've just set up a new SSL interception proxy using peek/splice/bump
>> using squid 4.0.22 and I'm getting SSL errors on some site indicating
>> missing intermediate certs as described here:
>>
>> https://blog.diladele.com/2015/04/21/fixing-x509_v_err_unable_to_get_issuer_cert_locally-on-ssl-bumping-squid/
>>
>> I have read the wiki and I see this on the SslBumpExplicit page:
>>
>> "Squid-4 <https://wiki.squid-cache.org/Squid-4> is capable of
>> downloading missing intermediate CA certificates, like popular browsers do."
>>
>> However I'm finding that I have to follow the procedure in the diladele
>> article and manually install the intermediate certs into the PKI trust
>> to work around this.
>
> Several cases are possible here:
>
> 1. Squid is missing the root certificate used by the origin server.
> Neither Squid nor browsers can fetch root certificates automatically
> (for hopefully obvious reasons).
>
> 2. Squid is missing an intermediate certificate used by the origin
> server, and the origin server provided no instructions on how to fetch
> that missing certificate automatically. Neither Squid (for sure) nor
> browsers (AFAIK) can fetch missing intermediate certificates
> automatically if they are not given origin server instructions of where
> to get them. Those instructions are usually given as various extension
> fields in signed certificates.
>
> 3. Squid is missing an intermediate certificate used by the origin
> server, the origin server provided instructions on how to fetch that
> missing certificate automatically, but Squid does not understand/support
> those instructions. There are several instruction formats/variants, and
> Squid does not support some of them. Please consider adding that support
> to Squid (requires writing code or sponsoring development).
>
> 4. Squid is missing an intermediate certificate used by the origin
> server, the origin server provided instructions on how to fetch that
> missing certificate automatically, Squid followed those instructions,
> but something went wrong. Study detailed Squid debugging logs or post
> them for analysis by others.
>
> You need to study each error to understand which case applies to it.
>
> To make matters worse, a combination of #1 and other cases is possible:
> Sometimes, automatically fetching a missing certificate leads to
> certificate validation problems that could have been avoided if Squid
> had the right (and different) trusted certificate in the first place:
> https://github.com/squid-cache/squid/commit/9ef7d9d5ddef54283cea4f1fdb7b3bbc1715755c
>
>
> I doubt Squid logs enough information (by default) to quickly and easily
> distinguish the four cases for a given error -- you may need to study
> the origin server certificates and Squid logs. For example, #4 should
> manifest itself as access.log errors associated with failed certificate
> fetching requests.
>
>
> As the solution for #1-2 or workaround for #3-4, if you trust the
> missing certificate, manually add it to your trust store (which is what
> you were doing).
>
>
> HTH,
>
> Alex.

Thanks very much Alex. I thought it might be something like that. I'm 
guessing it's most likely #3 or #4 as the site works direct from the 
browser.

Cheers

Alex
--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).