[squid-users] The status of AIA ie: TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ?
Eliezer Croitoru
ngtech1ltd at gmail.com
Tue Jan 25 17:12:19 UTC 2022
Hey,
I have recently seen more then one site that doesn't provide the full CA
bundle chain.
An example:
https://www.ssllabs.com/ssltest/analyze.html?d=www.cloudschool.org
https://www.ssllabs.com/ssltest/analyze.html?d= certificatechain.io
I wanted to somehow get this issue logged properly.
Currently squid sends the client a customized 503 page and the next line in
cache.log:
2022/01/25 19:01:25 kid1| ERROR: negotiating TLS on FD 26:
error:1416F086:SSL routines:tls_process_server_certificate:certificate
verify failed (1/-1/0)
Were there any improvement in this area in 5.x or 6.x brances?
And also the logging is very uninformative regarding the culprit of the
issue.
I would have expected that the remote host ip:port and sni would be logged
as well in the above mentioned line.
Currently I do not know about a way to identify from the logs these specific
sites.
I was thinking about writing a daemon that will do the trick automatically
for 4.17.
Any ideas about the subject?
Thanks,
Eliezer
----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com
More information about the squid-users
mailing list