[squid-users] Cert download from AIA information succeeds yet Squid reports ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
Ahmad, Sarfaraz
Sarfaraz.Ahmad at deshaw.com
Tue May 22 04:59:48 UTC 2018
Hi,
I have setup Squid as a SSL MITM proxy.
I am also using the cert download feature with these configurations in my squid.conf
acl cert_fetch transaction_initiator certificate-fetching
http_access allow cert_fetch
Websites where certificates just share AIA information using CA-issuer method, those work just fine.
But try this one, https://community.verizonwireless.com/welcome (this gets bumped in my setup)
Here the AIA information Is provided using both OCSP/CAissuer methods.
>From Squid's access logs, I can tell that the certificate gets downloaded.
1526964147.929 160 - TCP_MISS/200 1868 GET http://cacert.omniroot.com/vpssg142.crt - HIER_DIRECT/64.18.25.46 application/x-x509-ca-cert
But squid still reports:
(71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
SSL Certficate error: certificate issuer (CA) not known: /C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon Public SureServer CA G14-SHA2
That is the only intermediate certificate needed in the chain. Here: https://www.ssllabs.com/ssltest/analyze.html?d=community.verizonwireless.com&latest
When I download the intermediate certificate locally and try connecting to the remote server using openssl -Cafile option, Openssl reports OK (0).
openssl s_client -connect 204.93.84.201:443 -showcerts -CAfile vpssg142.crt -servername community.verizon.com
>> Verify return code: 0 (ok)
Regards,
Sarfaraz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180522/cbc5fb44/attachment-0001.html>
More information about the squid-users
mailing list