[squid-users] Alert unknown CA
Eliezer Croitoru
eliezer at ngtech.co.il
Tue Feb 3 20:39:29 UTC 2015
Hey Yuri,
From what I remember before squid passes data into ssl_crtd can debug
the certificates of the requested sites.
If you will record\log them you can run a script throw them and find the
culprit pretty fast(relatively).
What debug sections have you tried using to debug it?
Since squid uses openssl libs it's probably do not know about the CA and
there for not much details about it.
I would say that the URL is not important in the case of an intercept proxy.
In the case it's a regular forward proxy with ssl_bump you can run throw
the list of CONNECT requests which logged before the decryption of the
tunnel.
What squid.conf rules are you using?
I noticed you assume that squid passes URL to ssl_crtd and it's not how
it works.
All The Bests,
Eliezer
On 03/02/2015 16:26, Yuri Voinov wrote:
> Hi gents,
>
> I think, will be good to add advanced debug options to ssl_crtd to avoid
> this:
>
> 2015/02/03 20:21:37 kid1| clientNegotiateSSL: Error negotiating SSL
> connection on FD 28: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
> alert unknown ca (1/0)
>
> Now we have no one tools to diagnose the situations above. Excluding own
> eyes and brains. And - telepathy.
More information about the squid-users
mailing list