[squid-users] Alert unknown CA

Yuri Voinov yvoinov at gmail.com
Tue Feb 3 20:48:24 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 

04.02.2015 2:39, Eliezer Croitoru пишет:
> Hey Yuri,
>
> From what I remember before squid passes data into ssl_crtd can debug
the certificates of the requested sites.
> If you will record\log them you can run a script throw them and find
the culprit pretty fast(relatively).
>
> What debug sections have you tried using to debug it?
> Since squid uses openssl libs it's probably do not know about the CA
and there for not much details about it.
OpenSSL knows about CA's. With capath= option in https_port. It uses it
to verify connection from cache to server.
>
> I would say that the URL is not important in the case of an intercept
proxy.
It is important to localize CA's problem. When I can see problem URL - I
can look ath this and find, which CA was used.
> In the case it's a regular forward proxy with ssl_bump you can run throw the list of CONNECT
requests which logged before the decryption of the tunnel.
I use interception proxy. BTW, with over 100 requests per second and
corellation analyzes of two logs? access.log and cache.log? Bad idea, I
think.
>
> What squid.conf rules are you using?
>
> I noticed you assume that squid passes URL to ssl_crtd and it's not
how it works.
This is no matter. I want to find only easy way to catch problem SSL
connections through Squid.

>
> All The Bests,
> Eliezer
>
> On 03/02/2015 16:26, Yuri Voinov wrote:
>> Hi gents,
>>
>> I think, will be good to add advanced debug options to ssl_crtd to avoid
>> this:
>>
>> 2015/02/03 20:21:37 kid1| clientNegotiateSSL: Error negotiating SSL
>> connection on FD 28: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
>> alert unknown ca (1/0)
>>
>> Now we have no one tools to diagnose the situations above. Excluding own
>> eyes and brains. And - telepathy.
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBAgAGBQJU0TQXAAoJENNXIZxhPexGmPEH/iHVCwE821tkAxdwtHlKaCS3
wobvZVx9HAx7Q2C3S7VNR1wgtysG0psQd6P9UX6qniJpZAugZ5R27oLh0xDLtJgt
KZ7Uz0lpIkwTP5pJNmNAqA7vvPdJX6mkEEBK9ENBDGpjHo4wVvaRNfn+XXx/dfhn
k2m/ial6q0ZZ6WtLltjj0Fq73MdatQJefSWLPatTj7eMHDeACSxL/A0Me8EoyE/v
uYcTpIf2C/jy8A3x9DLGZMM+RXvtIWBJTR1ct3PrZMMLuaw0o0XAzbYPNY05RK7b
vyCuY2Ua+NrcTw0LX05vhdCwJnlvK6rh/Vi6M3yEivAkp0itjv2ZbpM3pNFD+NU=
=ajrM
-----END PGP SIGNATURE-----



More information about the squid-users mailing list