[squid-users] bank blocked

[Marcus Kool]

When there is an issue with a certificate, it is good practice to go to ssllabs to verify what is going on.

https://www.ssllabs.com/ssltest/analyze.html?d=i.bps%2dsberbank.by&hideResults=on&latest
shows that there is an incomplete certificate chain issue (in orange) which means that the server of the bank does not send all (intermediate) certificates.
Click on the blue '+' of certification paths and it shows that the 'GeoTrust RSA CA 2018' (intermediate certificate) had to be downloaded.

The messages are not from Squid but from ufdbGuard which apparently is configured with an option to block the URL is case of a certificate issue.
Since Squid already checks for valid certificate chains, I suggest to turn this option off in ufdbGuard.

Marcus


On 31/10/2018 11:48, Vacheslav wrote:
> I do not use bump or splice if that is what you mean. I do not import certificates.. it works without proxy.
> 
> -----Original Message-----
> From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Matus UHLAR - fantomas
> Sent: Wednesday, October 31, 2018 5:46 PM
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] bank blocked
> 
> On 31.10.18 17:41, Vacheslav wrote:
>> 2018-10-31 17:34:45 [4270] TLSv1.2 certificate for i.bps-sberbank.by:443: UNRECOGNISED ISSUER  (maybe a certificate chain issue)  *****
>> 2018-10-31 17:34:45 [4270]    issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
> 
> does your system recopgnize this authority? Do have actual list of CAs?
> 
>> 2018-10-31 17:34:45 [4270]    subject: /C=BY/L=Minsk/O=BPS-Sberbank OAO/OU=Head Office/CN=*.bps-sberbank.by
>> 2018-10-31 17:34:45 [4270] TLSv1.2 connection to i.bps-sberbank.by:443 has error code 12. It is marked as a TLS/SSL certificate issue
>> 2018-10-31 17:34:45 [4270] BLOCK -                10.17.10.17     config     https-option  i.bps-sberbank.by:443 CONNECT
>>
>> What is wrong?
>