[squid-users] sometimes intermediate certificates were not downloaded when using sslbump

L.P.H. van Belle belle at bazuin.nl
Wed Apr 8 11:48:14 UTC 2020


This is a simple one. 

The certificate chain of that website is incorrect. 
As shown here : https://www.ssllabs.com/ssltest/analyze.html?d=www.formulare%2dbfinv.de&latest 

Check you webserver first and correct you ciphers in your apache webserver. 

Greetz, 

Louis
 

> -----Oorspronkelijk bericht-----
> Van: squid-users 
> [mailto:squid-users-bounces at lists.squid-cache.org] Namens Dieter Bloms
> Verzonden: woensdag 8 april 2020 13:37
> Aan: squid-users at lists.squid-cache.org
> Onderwerp: [squid-users] sometimes intermediate certificates 
> were not downloaded when using sslbump
> 
> Hello,
> 
> I use a self compiled squid 4.10 compiled as follow:
> 
> ~# squid --version
> Squid Cache: Version 4.10
> Service Name: squid
> 
> This binary uses OpenSSL 1.1.1d  10 Sep 2019. For legal 
> restrictions on distribution see 
> https://www.openssl.org/source/license.html
> 
> configure options:  '--prefix=/usr' '--sysconfdir=/etc/squid' 
> '--bindir=/usr/sbin' '--sbindir=/usr/sbin' 
> '--localstatedir=/var' '--libexecdir=/usr/sbin' 
> '--datadir=/usr/share/squid' '--mandir=/usr/share/man' 
> '--with-default-user=squid' '--with-filedescriptors=131072' 
> '--with-logdir=/var/log/squid' '--disable-auto-locale' 
> '--disable-auth-negotiate' '--disable-auth-ntlm' 
> '--disable-eui' '--disable-carp' '--disable-htcp' 
> '--disable-ident-lookups' '--disable-loadable-modules' 
> '--disable-translation' '--disable-wccp' '--disable-wccpv2' 
> '--enable-async-io=128' '--enable-auth' 
> '--enable-auth-basic=LDAP NCSA' '--enable-auth-digest=LDAP 
> file' '--enable-epoll' '--enable-log-daemon-helpers=file' 
> '--enable-icap-client' '--enable-inline' '--enable-snmp' 
> '--enable-disk-io=AIO,DiskThreads,IpcIo,Blocking' 
> '--enable-storeio=ufs,aufs,rock' '--enable-referer-log' 
> '--enable-useragent-log' '--enable-large-cache-files' 
> '--enable-removal-policies=lru,heap' 
> '--enable-follow-x-forwarded-for' '--enable-ssl-crtd' '--with-openssl'
> 
> in squid.conf I set following acl at the very benning of acl section:
> 
> # allow fetching of missing intermediate certificates
> acl fetch_intermediate_certificate transaction_initiator 
> certificate-fetching
> cache allow fetch_intermediate_certificate
> cache deny all
> http_access allow fetch_intermediate_certificate
> 
> and squid fetches intermediate certificates for websites 
> like: https://incomplete-chain.badssl.com/
> But squid doesn't fetch the intermediate certificates for the 
> site https://www.formulare-bfinv.de/
> and I don't know why.
> 
> I checked all AiA entries in the certificates and it looks good to me.
> 
> Can anybody try the site https://www.formulare-bfinv.de/ with 
> enabled sslbump,
> so I can see whether my installation is broken or the 
> webserver configuration isn't correct ?
> 
> Thank you very much.
> 
> -- 
> Best regards
> 
>   Dieter Bloms
> 
> --
> I do not get viruses because I do not use MS software.
> If you use Outlook then please do not put my email address in your
> address-book so that WHEN you get a virus it won't use my 
> address in the
> From field.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 



More information about the squid-users mailing list