[squid-users] Alert unknown CA

Eliezer Croitoru eliezer at ngtech.co.il
Tue Feb 3 20:39:29 UTC 2015


Hey Yuri,

 From what I remember before squid passes data into ssl_crtd can debug 
the certificates of the requested sites.
If you will record\log them you can run a script throw them and find the 
culprit pretty fast(relatively).

What debug sections have you tried using to debug it?
Since squid uses openssl libs it's probably do not know about the CA and 
there for not much details about it.

I would say that the URL is not important in the case of an intercept proxy.
In the case it's a regular forward proxy with ssl_bump you can run throw 
the list of CONNECT requests which logged before the decryption of the 
tunnel.

What squid.conf rules are you using?

I noticed you assume that squid passes URL to ssl_crtd and it's not how 
it works.

All The Bests,
Eliezer

On 03/02/2015 16:26, Yuri Voinov wrote:
> Hi gents,
>
> I think, will be good to add advanced debug options to ssl_crtd to avoid
> this:
>
> 2015/02/03 20:21:37 kid1| clientNegotiateSSL: Error negotiating SSL
> connection on FD 28: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
> alert unknown ca (1/0)
>
> Now we have no one tools to diagnose the situations above. Excluding own
> eyes and brains. And - telepathy.




More information about the squid-users mailing list