[squid-users] squid doesn't fetch the intermediate certificate for some sites

Dieter Bloms squid.org at bloms.de
Tue Jul 21 09:18:33 UTC 2020


Hello Matus,

thank you for your answer.

On Tue, Jul 21, Matus UHLAR - fantomas wrote:

> On 21.07.20 09:41, Dieter Bloms wrote:
> > we use the sslbump feature and it works very well.
> > But some sites can't be reached because of missing intermediate
> > certificate.
> > 
> > In squid.conf we have configured the following parameters:
> > 
> > --snip--
> > # allow fetching of missing intermediate certificates
> > acl fetch_intermediate_certificate transaction_initiator certificate-fetching
> > http_access allow fetch_intermediate_certificate
> > cache allow fetch_intermediate_certificate
> > cache deny all
> > --snip--
> > 
> > and fetching the intermediate certificate works for sites like: https://incomplete-chain.badssl.com/
> > 
> > but for some sites like https://mycase.cloudapps.cisco.com/
> > squid doesn't fetch the intermediate certificate and returns X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
> > 
> > In my eyes the certificate of mycase.cloudapps.cisco.com contains an AiA
> > record.
> > 
> > output of openssl on certificate of mycase.cloudapps.cisco.com
> > --snip--
> >            Authority Information Access:
> >                CA Issuers - URI:http://trust.quovadisglobal.com/hydsslg2.crt
> >                OCSP - URI:http://ocsp.quovadisglobal.com
> > --snip--
> > 
> > so does anybody see what's the reason, why squid doesn't download the
> > intermediate certificate for mycase.cloudapps.cisco.com ?
> 
> squid can't download certificates other than the website provides.

that's not true:

from site: https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
"Squid-4 is capable of downloading missing intermediate CA certificates,
like popular browsers do."

> if a website does not provide valid certificate chain, it's up to the client
> to produce an error. With browser, you can allow the certificate explicitly.

with ssbump the browser doesn't see the origin webserver certificate,
but sees the squid created one.

> It is also possible that browser has the intermediace certificate
> remembered.

as I already wrote, we use sslbump.

> testing certificate for mycase.cloudapps.cisco.com shows only one
> certificate I can see:
> 
> Certificate chain
> 0 s:C = US, ST = California, L = San Jose, O = "Cisco Systems, Inc.", CN = mycase.cloudapps.cisco.com
>   i:C = US, O = HydrantID (Avalanche Cloud Corporation), CN = HydrantID SSL ICA G2
> 
> the HydrantID SSL ICA G2 certificate seems to be missing here.
> 
> 
> 
> -- 
> Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Windows 2000: 640 MB ought to be enough for anybody
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
Gruß

  Dieter

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.


More information about the squid-users mailing list