[squid-users] sometimes intermediate certificates were not downloaded when using sslbump

Dieter Bloms squid.org at bloms.de
Wed Apr 8 11:36:59 UTC 2020 

Hello,

I use a self compiled squid 4.10 compiled as follow:

~# squid --version
Squid Cache: Version 4.10
Service Name: squid

This binary uses OpenSSL 1.1.1d  10 Sep 2019. For legal restrictions on distribution see https://www.openssl.org/source/license.html

configure options:  '--prefix=/usr' '--sysconfdir=/etc/squid' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--localstatedir=/var' '--libexecdir=/usr/sbin' '--datadir=/usr/share/squid' '--mandir=/usr/share/man' '--with-default-user=squid' '--with-filedescriptors=131072' '--with-logdir=/var/log/squid' '--disable-auto-locale' '--disable-auth-negotiate' '--disable-auth-ntlm' '--disable-eui' '--disable-carp' '--disable-htcp' '--disable-ident-lookups' '--disable-loadable-modules' '--disable-translation' '--disable-wccp' '--disable-wccpv2' '--enable-async-io=128' '--enable-auth' '--enable-auth-basic=LDAP NCSA' '--enable-auth-digest=LDAP file' '--enable-epoll' '--enable-log-daemon-helpers=file' '--enable-icap-client' '--enable-inline' '--enable-snmp' '--enable-disk-io=AIO,DiskThreads,IpcIo,Blocking' '--enable-storeio=ufs,aufs,rock' '--enable-referer-log' '--enable-useragent-log' '--enable-large-cache-files' '--enable-removal-policies=lru,heap' '--enable-follow-x-forwarded-for' '--enable-ssl-crtd' '--with-openssl'

in squid.conf I set following acl at the very benning of acl section:

# allow fetching of missing intermediate certificates
acl fetch_intermediate_certificate transaction_initiator certificate-fetching
cache allow fetch_intermediate_certificate
cache deny all
http_access allow fetch_intermediate_certificate

and squid fetches intermediate certificates for websites like: https://incomplete-chain.badssl.com/
But squid doesn't fetch the intermediate certificates for the site https://www.formulare-bfinv.de/
and I don't know why.

I checked all AiA entries in the certificates and it looks good to me.

Can anybody try the site https://www.formulare-bfinv.de/ with enabled sslbump,
so I can see whether my installation is broken or the webserver configuration isn't correct ?

Thank you very much.

-- 
Best regards

  Dieter Bloms

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.

More information about the squid-users mailing list