[squid-users] sometimes intermediate certificates were not downloaded when using sslbump

Wed Apr 8 13:14:11 UTC 2020

Hello Louis,

thank you for your answer.

It is not my webserver. Am a user who wants to connect to the webserver.
I know that the certificate chain is incomplete.
As far as I know squid should be able to fetch the missing intermediate
certificates on its own with the help of Authority Information Access (AIA) to get the complete list.
So squid should be able to verify the server certificate even the
webserver doesn't deliver the intermediate certificates.

On Wed, Apr 08, L.P.H. van Belle wrote:

> This is a simple one. 
> 
> The certificate chain of that website is incorrect. 
> As shown here : https://www.ssllabs.com/ssltest/analyze.html?d=www.formulare%2dbfinv.de&latest 
> 
> Check you webserver first and correct you ciphers in your apache webserver. 
> 
> Greetz, 
> 
> Louis
>  
> 
> > -----Oorspronkelijk bericht-----
> > Van: squid-users 
> > [mailto:squid-users-bounces at lists.squid-cache.org] Namens Dieter Bloms
> > Verzonden: woensdag 8 april 2020 13:37
> > Aan: squid-users at lists.squid-cache.org
> > Onderwerp: [squid-users] sometimes intermediate certificates 
> > were not downloaded when using sslbump
> > 
> > Hello,
> > 
> > I use a self compiled squid 4.10 compiled as follow:
> > 
> > ~# squid --version
> > Squid Cache: Version 4.10
> > Service Name: squid
> > 
> > This binary uses OpenSSL 1.1.1d  10 Sep 2019. For legal 
> > restrictions on distribution see 
> > https://www.openssl.org/source/license.html
> > 
> > configure options:  '--prefix=/usr' '--sysconfdir=/etc/squid' 
> > '--bindir=/usr/sbin' '--sbindir=/usr/sbin' 
> > '--localstatedir=/var' '--libexecdir=/usr/sbin' 
> > '--datadir=/usr/share/squid' '--mandir=/usr/share/man' 
> > '--with-default-user=squid' '--with-filedescriptors=131072' 
> > '--with-logdir=/var/log/squid' '--disable-auto-locale' 
> > '--disable-auth-negotiate' '--disable-auth-ntlm' 
> > '--disable-eui' '--disable-carp' '--disable-htcp' 
> > '--disable-ident-lookups' '--disable-loadable-modules' 
> > '--disable-translation' '--disable-wccp' '--disable-wccpv2' 
> > '--enable-async-io=128' '--enable-auth' 
> > '--enable-auth-basic=LDAP NCSA' '--enable-auth-digest=LDAP 
> > file' '--enable-epoll' '--enable-log-daemon-helpers=file' 
> > '--enable-icap-client' '--enable-inline' '--enable-snmp' 
> > '--enable-disk-io=AIO,DiskThreads,IpcIo,Blocking' 
> > '--enable-storeio=ufs,aufs,rock' '--enable-referer-log' 
> > '--enable-useragent-log' '--enable-large-cache-files' 
> > '--enable-removal-policies=lru,heap' 
> > '--enable-follow-x-forwarded-for' '--enable-ssl-crtd' '--with-openssl'
> > 
> > in squid.conf I set following acl at the very benning of acl section:
> > 
> > # allow fetching of missing intermediate certificates
> > acl fetch_intermediate_certificate transaction_initiator 
> > certificate-fetching
> > cache allow fetch_intermediate_certificate
> > cache deny all
> > http_access allow fetch_intermediate_certificate
> > 
> > and squid fetches intermediate certificates for websites 
> > like: https://incomplete-chain.badssl.com/
> > But squid doesn't fetch the intermediate certificates for the 
> > site https://www.formulare-bfinv.de/
> > and I don't know why.
> > 
> > I checked all AiA entries in the certificates and it looks good to me.
> > 
> > Can anybody try the site https://www.formulare-bfinv.de/ with 
> > enabled sslbump,
> > so I can see whether my installation is broken or the 
> > webserver configuration isn't correct ?
> > 
> > Thank you very much.
> > 
> > -- 
> > Best regards
> > 
> >   Dieter Bloms
> > 
> > --
> > I do not get viruses because I do not use MS software.
> > If you use Outlook then please do not put my email address in your
> > address-book so that WHEN you get a virus it won't use my 
> > address in the
> > From field.
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> > 
> 

-- 
Gruß

  Dieter

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.