<div dir="ltr">Hi Amos,<br><br>Thank you for your reply and I apologize for the missing information.<br>The following is the detailed one.<br><br>> * Squid version<br>* squid version 3.5.26 (probably, ver4.X also might have same issue)<br>* OpenSSL 1.0.2k<br><br>> * details of the chain being delivered to Squid<br>> * details of the expected cross-signing chain(s).<br><br>There are so many websites which are facing this issue.<br>For instance, "<a href="http://sbv.gov.vn:443">sbv.gov.vn:443</a>".<br><br># openssl s_client -connect <a href="http://sbv.gov.vn:443">sbv.gov.vn:443</a> -servername <a href="http://sbv.gov.vn">sbv.gov.vn</a> -showcerts -verify 5 -state<br>verify depth is 5<br>CONNECTED(00000003)<br>SSL_connect:before/connect initialization<br>SSL_connect:SSLv2/v3 write client hello A<br>SSL_connect:SSLv3 read server hello A<br>depth=3 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA<br>verify return:1<br>depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign<br>verify error:num=10:certificate has expired<br>notAfter=Mar 18 10:00:00 2019 GMT<br>verify return:1<br>depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign<br>notAfter=Mar 18 10:00:00 2019 GMT<br>verify return:1<br>depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3<br>notAfter=Sep 21 00:00:00 2026 GMT<br>verify return:1<br>depth=0 businessCategory = Government Entity, serialNumber = Government Entity, jurisdictionC = VN, C = VN, ST = Ha Noi, L = Ha Noi, street = "47-49 Ly Thai To, Hoan Kiem District", OU = Department of Information Technology, O = The State Bank of Viet Nam, CN = <a href="http://www.sbv.gov.vn">www.sbv.gov.vn</a><br>notAfter=Nov 8 03:31:58 2020 GMT<br>verify return:1<br>... snip ...<br> Verify return code: 10 (certificate has expired)<br> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<br><br>The above verification was NG(certificate has expired))<br>On the other hand, the verification was OK if the "-trusted_first" option was given.<br><br># openssl s_client -trusted_first -connect <a href="http://sbv.gov.vn:443">sbv.gov.vn:443</a> -servername <a href="http://sbv.gov.vn">sbv.gov.vn</a> -showcerts -verify 5 -state<br>verify depth is 5<br>CONNECTED(00000003)<br>SSL_connect:before/connect initialization<br>SSL_connect:SSLv2/v3 write client hello A<br>SSL_connect:SSLv3 read server hello A<br>depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign<br>verify return:1<br>depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3<br>verify return:1<br>depth=0 businessCategory = Government Entity, serialNumber = Government Entity, jurisdictionC = VN, C = VN, ST = Ha Noi, L = Ha Noi, street = "47-49 Ly Thai To, Hoan Kiem District", OU = Department of Information Technology, O = The State Bank of Viet Nam, CN = <a href="http://www.sbv.gov.vn">www.sbv.gov.vn</a><br>verify return:1<br>... snip ...<br> Verify return code: 0 (ok)<br> ^^^^^^^^^^^^^^^^^^^^^^^^^^<br><br>In the "Cross-Signed Certificate" case, openssl failed to verify by default even if another signed root is available.<br>Squid's behavior seems to be also the same. That's why I needed the "trusted_first" feature.<br>For your information, a major web browser(like chrome/firefox) could access the site directly because of trusted first mode.<br><br>In my opinion, appending the following codes(in ssl/support.cc) will be effective.<br><br> X509_VERIFY_PARAM_set_flags(ctx->param, X509_V_FLAG_TRUSTED_FIRST);<br> (The type of ctx is "X509_STORE_CTX *").<br><br>Could you please add the trusted_first option on squid ?<br><br>By the way, I think that the following topic is also the same issue.<br> [squid-users] (92) Protocol error (TLS code: X509_V_ERR_CERT_HAS_EXPIRED)<br><br>Regards,<br>--<br>Mikio Kishi<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Jun 27, 2020 at 9:29 PM Amos Jeffries <<a href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 27/06/20 7:07 pm, mikio.kishi wrote:<br>
> Hi all,<br>
> <br>
> I am currently using sslbump feature. Sometimes, squid failed to verify<br>
> a https web site with<br>
> cross root cert. On the other hand, the site is accessible directly from<br>
> major web browsers,<br>
> such as chrome and firefox. I am guessing that the cert verification<br>
> handling of the current<br>
> sslbump seems to be NOT trusted_first mode. Are there any solutions to<br>
> change to trusted_first<br>
> verification mode for squid ?<br>
> <br>
<br>
Solutions based purely on guesswork are unlikely to work.<br>
<br>
<br>
Missing information:<br>
<br>
* Squid version<br>
<br>
* details of the chain being delivered to Squid<br>
<br>
* details of the expected cross-signing chain(s).<br>
<br>
* by "trusted_first mode" do you mean TOFU or something else?<br>
<br>
<br>
Squid supports a helper, which can to do any type of validation -<br>
including none. BUT ... you first need to eliminate the guesses to see<br>
if it is a validation or something completely unexpected.<br>
<br>
<br>
Amos<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div>