
<html>

  <head>

    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    <br>

    -----BEGIN PGP SIGNED MESSAGE----- <br>

    Hash: SHA256 <br>

     <br>

    In additional, this is very old problem:<br>

    <br>

<a class="moz-txt-link-freetext" href="http://answers.microsoft.com/en-us/windows/forum/windows8_1-update/ssl-problem-with-windows-update-error-0x800b0109d/df2c5206-7304-4e42-ac4b-40d00bfbca87?auth=1">http://answers.microsoft.com/en-us/windows/forum/windows8_1-update/ssl-problem-with-windows-update-error-0x800b0109d/df2c5206-7304-4e42-ac4b-40d00bfbca87?auth=1</a><br>

    <br>

    Damned M$.<br>

    <br>

    27.03.16 2:01, Yuri Voinov пишет:<br>

    <span style="white-space: pre;">><br>

      > Found and solved.<br>

      ><br>

      > root @ cthulhu / # openssl s_client -connect

      fe2.update.microsoft.com:443<br>

      > CONNECTED(00000003)<br>

      > depth=1 C = US, ST = Washington, L = Redmond, O = Microsoft

      Corporation,<br>

      > CN = Microsoft Update Secure Server CA 2.1<br>

      > verify error:num=20:unable to get local issuer certificate<br>

      > verify return:0<br>

      > ---<br>

      > Certificate chain<br>

      >  0<br>

      >

s:/C=US/ST=Washington/L=Redmond/O=Microsoft/OU=DSP/CN=fe2.update.microsoft.com<br>

      >    i:/C=US/ST=Washington/L=Redmond/O=Microsoft

      Corporation/CN=Microsoft<br>

      > Update Secure Server CA 2.1<br>

      >  1 s:/C=US/ST=Washington/L=Redmond/O=Microsoft

      Corporation/CN=Microsoft<br>

      > Update Secure Server CA 2.1<br>

      >    i:/C=US/ST=Washington/L=Redmond/O=Microsoft

      Corporation/CN=Microsoft<br>

      > Root Certificate Authority 2011<br>

      > ---<br>

      > Server certificate<br>

      > -----BEGIN CERTIFICATE-----<br>

      >

      MIIF5TCCA82gAwIBAgITMwAAAFRKWJwXUQHpvwAAAAAAVDANBgkqhkiG9w0BAQsF<br>

      >

      ADCBhDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT<br>

      >

      B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEuMCwGA1UE<br>

      >

      AxMlTWljcm9zb2Z0IFVwZGF0ZSBTZWN1cmUgU2VydmVyIENBIDIuMTAeFw0xNTEy<br>

      >

      MTYxOTM4MDdaFw0xNjA1MTYxOTM4MDdaMHkxCzAJBgNVBAYTAlVTMRMwEQYDVQQI<br>

      >

      EwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMRIwEAYDVQQKEwlNaWNyb3Nv<br>

      >

      ZnQxDDAKBgNVBAsTA0RTUDEhMB8GA1UEAxMYZmUyLnVwZGF0ZS5taWNyb3NvZnQu<br>

      >

      Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt9yv6P/FzJvxW5Wx<br>

      >

      /klFQ1o9BO0qyAr7u5nYeLbGiwnVOSj8qIZ6t4GoqHq6spDGuqFfRF0u/eeZY0bq<br>

      >

      hncHjJHm4YZ9KHOvhObBJ0fHbTyyyXRYxHe1rk+4o4M1SszvAviY2zGKvc6Euik9<br>

      >

      p3erPxocB2nwbEn82JkNxS0UjcmKpUDmFNYMe5O+MJ3ngKCv62SbmJXAH3ZWq7yJ<br>

      >

      xNTgQjrXCKHxVDmC2TrC2f7/35gGH3OksOthD9zCkKTw+y+pJ0n3AO7ahrdj+pB4<br>

      >

      uyQzb0K077xeAIY54eoTuhL2d3vDCDwt4m0YJccl464IGjtF99nt8DlRriGig5Wg<br>

      >

      T8+28QIDAQABo4IBWDCCAVQwDgYDVR0PAQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsG<br>

      >

      AQUFBwMBMB0GA1UdDgQWBBRf9/DNbWTCucVV/ag9JpVQ+JLldjAfBgNVHSMEGDAW<br>

      >

      gBTS8j2EdIYbUIWqXeWlB5rwR9MuaTBoBgNVHR8EYTBfMF2gW6BZhldodHRwOi8v<br>

      >

      d3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNyb3NvZnQlMjBVcGRhdGUl<br>

      >

      MjBTZWN1cmUlMjBTZXJ2ZXIlMjBDQSUyMDIuMS5jcmwwdQYIKwYBBQUHAQEEaTBn<br>

      >

      MGUGCCsGAQUFBzAChllodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2Nl<br>

      >

      cnRzL01pY3Jvc29mdCUyMFVwZGF0ZSUyMFNlY3VyZSUyMFNlcnZlciUyMENBJTIw<br>

      >

      Mi4xLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQBGJdsEVpCN<br>

      >

      VD7PUYDopBFCAN/t8n4TZ4Y8lQvdT4qtWFKvucqNR2clZnXg3KB0D7V8/lr4kqGi<br>

      >

      8t089SuSnnEnIREQhrf3KMryJZiU/5dt9UejThYYrjoVtFOGXhQit7fG2lQyOp9a<br>

      >

      riHf+OuXAv6UZXW2Ina6vUcxWk7GrupSDdWfROv1ZUUEj5wmbJGOfh/Oc7Nkzbnj<br>

      >

      wLl62h9hix4fwP8XdKp2uWXAkPjgjAH3SK9wDSOm5L6hR9crbUikowoEC5XYX+gh<br>

      >

      8kTED8kaSbVoyGIDR+gTtm7F4S99W8ecI2GSeZkhawFC3lbtpE9P5LfrStSJL809<br>

      >

      yUWUCwo1xTz12Iwo8PXZk8XiId+f/KxxFMNjMDG/FZRUFfNMWU10ijqBlI4Nlovk<br>

      >

      pV9Fhpfny75cScJNZLij5FFiLHZuYzfGhejDBmpXweBpV6VLe9RNoLHmgBVTjYBa<br>

      >

      nzLa6r0M3ICnXCtX8h5JNcOPhvBFb43Z6+6CQP6jM2SqXSQUg3TwArBe0deaoYCI<br>

      >

      fJpJJTKqo88FeURLpgfemPa3sXXUKqKWglYejkCYM6Kk8IPAa8w3JnsGWg5F5MJa<br>

      >

      8zp43RouY5+VBZLAF+B1HZGEwyEXUhzZshl9QAmMs9YrXooFqP9rnyAP8ehNQdmC<br>

      > Tl1/2ofmuAUavN8AQfh1Jn8Nm+hPnADN+w==<br>

      > -----END CERTIFICATE-----<br>

      >

subject=/C=US/ST=Washington/L=Redmond/O=Microsoft/OU=DSP/CN=fe2.update.microsoft.com<br>

      > issuer=/C=US/ST=Washington/L=Redmond/O=Microsoft<br>

      > Corporation/CN=Microsoft Update Secure Server CA 2.1<br>

      > ---<br>

      > No client certificate CA names sent<br>

      > ---<br>

      > SSL handshake has read 3503 bytes and written 649 bytes<br>

      > ---<br>

      > New, TLSv1/SSLv3, Cipher is AES128-SHA256<br>

      > Server public key is 2048 bit<br>

      > Secure Renegotiation IS supported<br>

      > Compression: NONE<br>

      > Expansion: NONE<br>

      > SSL-Session:<br>

      >     Protocol  : TLSv1.2<br>

      >     Cipher    : AES128-SHA256<br>

      >     Session-ID:<br>

      >

      7B4C0000F911C68C6B1C235D7E5DB1C001A481D27EF8B594EB7F60A73904A4A7<br>

      >     Session-ID-ctx:<br>

      >     Master-Key:<br>

      >

7BC9333DDD64858E393E2837FF645DB131A868322766771BDF4EBD3AE49A0AD422852AC787008F0A0CD60BC8EA5A0E75<br>

      >     Key-Arg   : None<br>

      >     PSK identity: None<br>

      >     PSK identity hint: None<br>

      >     SRP username: None<br>

      >     Start Time: 1459021942<br>

      >     Timeout   : 300 (sec)<br>

      >     Verify return code: 20 (unable to get local issuer

      certificate)<br>

      > ---<br>

      > <a class="moz-txt-link-freetext" href="read:errno=131">read:errno=131</a><br>

      ><br>

      > The damned M$ uses intermediate CA which is absent in CA

      bundle by<br>

      > default on fe2.update.microsoft.com.<br>

      ><br>

      > In additional with Akamai CN mismatch.<br>

      ><br>

      > Thanks all!<br>

      ><br>

      > 26.03.16 23:25, Alex Rousskov пишет:<br>

      > > On 03/26/2016 04:53 AM, Yuri Voinov wrote:<br>

      > >> <a class="moz-txt-link-freetext" href="http://i.imgur.com/kxrOEVd.png">http://i.imgur.com/kxrOEVd.png</a><br>

      > >><br>

      > >> How to suppress this? It stops WU right now.<br>

      ><br>

      ><br>

      > > Does the ssl::certDomainMismatch ACL work to bypass the<br>

      > > SQUID_X509_V_ERR_DOMAIN_MISMATCH error?<br>

      ><br>

      > > If not, then just as a triage experiment (and not for

      production use!),<br>

      > > does the following bypass the

      SQUID_X509_V_ERR_DOMAIN_MISMATCH error?<br>

      ><br>

      > >   sslproxy_cert_error allow all<br>

      ><br>

      ><br>

      > > Alex.<br>

      ><br>

      ><br>

      ></span><br>

    <br>

    -----BEGIN PGP SIGNATURE-----

<br>

    Version: GnuPG v2

<br>

     <br>

    iQEcBAEBCAAGBQJW9ut9AAoJENNXIZxhPexGSYYH/1bXvCHmGSxGcNi6/rCQyCkn

<br>

    gZf4Bi+ot5BEIxsCD6TpW/sZhfwbfYqY+6P+4ofrXPCxn71POW/F7B8X59qxxn74

<br>

    KdkxXZ6MYXIFVPYEtU9xKhD1vCU+X/iLe/bFZAs+PNZ4XShw3309EHxPvmoQ8MCW

<br>

    NKT/hKGe/OxY09E0rolBKBU5VnpmcFu3EP7U3nZbrmSOvNvyK1ni+UKZgNNMUg2l

<br>

    XmYuraeoe93QyC+TsbZnNSC2oH/ANc+wR3EDTrjmdoidtl/qV1tH7+lr5BaxrLIu

<br>

    ka9t8/pAkz6UwcqZ2ZTYe4MKm9gjOzDvF1QjoTZtpho/Z/0v5A5Y8rekxNUjQJI=

<br>

    =9FC2

<br>

    -----END PGP SIGNATURE-----

<br>

    <br>

  </body>

</html>