[squid-users] Troubleshooting certificate issues

Lorenzo Marcantonio l.marcantonio at proxind.it
Wed Nov 11 18:17:29 UTC 2020


On Wed, Nov 11, 2020 at 11:45:26AM -0500, Alex Rousskov wrote:
> On 11/11/20 6:56 AM, Lorenzo Marcantonio wrote:
> > I'm using 4.13 with libressl 3.2.2 and SSL bumps.
> 
> FYI: Libressl-based builds are not officially supported. I do not know
> whether libressl is a factor here.

Uhm. That could be. However I think that mixing openssl and libressl
could be an even bigger can of worm, given that they have the same soname.

> > X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY at depth=2
> 
> If the connection is using TLS v1.3, then you may be suffering from Bug
> 5067: https://bugs.squid-cache.org/show_bug.cgi?id=5067

Ah. There is some kind of hack in squid to get the missing certificates.
but openssl verify checks ok without going to the net (I did a strace to
check the cafile).

libressl seems to be the most probable issue then. Not an easy fix I fear

Thanks for the advice

-- 
Lorenzo Marcantonio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20201111/86ddd594/attachment.sig>


More information about the squid-users mailing list