
<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

  </head>

  <body>

    <p><tt>yes, I have seen this with Squid _with_ ssl_bump.  In trying

        to resolve the issue I also upgraded to Squid 4.11, removed the

        certificate cache and still had messages that the certificate

        expired on May 30 2020.  Doublechecked all certificates but none

        has this expiry date.  <br>

      </tt></p>

    <p><tt>We have a wildcard certificate of sectigo that we use for

        *.urlfilterdb.com   The really strange thing is that the issue

        does not appear for all subdomains:</tt></p>

    <p><tt>'www' subdomain is OK</tt></p>

    <p><tt>'files' subdomain has expired certificate<br>

      </tt></p>

    <p><tt><a class="moz-txt-link-abbreviated" href="http://www.sectigo.com">www.sectigo.com</a> also has an expiration issue when used with

        the Squid proxy and sslbump (peek+bump mode).</tt></p>

    <p><tt>My *guess* is that the certificate checking code used by

        ssl_bump does not check all certificate signing paths.<br>

      </tt></p>

    <p><tt>Marcus<br>

      </tt></p>

    <p><tt></tt><br>

    </p>

    <div class="moz-cite-prefix">On 2020-05-31 00:58, Garbacik, Joe

      wrote:<br>

    </div>

    <blockquote type="cite"

      cite="mid:6DE934BB-C44D-4D85-8DE8-2C045302433E@netapp.com">

      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

      Has anyone else noticed that any issues with the expiration of the

      Sectigo certificates today that appear to be related to this

      issue:

      <div class=""><a

href="https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT"

          class="" moz-do-not-send="true">https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT</a></div>

      <div class=""><a

href="https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rgSZ"

          class="" moz-do-not-send="true">https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rgSZ</a></div>

      <div class=""><br class="">

      </div>

      <div class="">I started see this in my logs today for a site that

        has always worked. </div>

      <div class=""><br class="">

      </div>

      <div class="">...

        cert_errors="X509_V_ERR_CERT_HAS_EXPIRED@depth=3" ... </div>

      <div class=""><br class="">

      </div>

      <div class="">I also noticed that with a browser, bypassing the

        proxy,  the certificate is fine. </div>

      <div class="">I also noticed that testing with openssl, it

        indicates expired as well.</div>

      <div class=""><br class="">

      </div>

      <div class="">

        <div style="margin: 0px; font-stretch: normal; font-size: 11px;

          line-height: normal; font-family: Menlo; color: rgb(39, 255,

          35); background-color: rgb(0, 0, 0);" class="">

          <span style="font-variant-ligatures: no-common-ligatures"

            class="">    Verify return code: 10 (certificate has

            expired)</span></div>

      </div>

      <div class=""><span style="font-variant-ligatures:

          no-common-ligatures" class=""><br class="">

        </span></div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <pre class="moz-quote-pre" wrap="">_______________________________________________

squid-users mailing list

<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>

<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a>

</pre>

    </blockquote>

  </body>

</html>