[squid-users] tlsv1 alert errors
Alan Palmer
alanpalmer72 at yahoo.com
Mon Feb 23 19:49:28 UTC 2015
So I got squid to intercept http and https traffic, but I get the
following error on any https access
2015/02/23 12:50:15 kid1| clientNegotiateSSL: Error negotiating SSL
connection o
n FD 28: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca (1/0
)
This of course leads to all kinds of site untrusted/compromised errors
in client browsers.
From looking in the archives this usually occurs because of a
missing/outdated root CA file.
I have the following liness in squid.conf
https_port 127.0.0.1:3127 intercept ssl-bump \
generate-host-certificates=on \
dynamic_cert_mem_cache_size=16MB \
cert=/etc/squid/ssl_cert/MyCA.pem\
cafile=/etc/ssl/cert.pem # tried without the cafile cirective here as
well
https_port [::1]:3127 intercept ssl-bump \
generate-host-certificates=on \
dynamic_cert_mem_cache_size=16MB \
cert=/etc/squid/ssl_cert/MyCA.pem\
cafile=/etc/ssl/cert.pem #tried without the cafile directive here as well
#
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /data/squid/ssl_db
-M 16MB
sslcrtd_children 10
always_direct allow all
sslproxy_cert_error allow all
ssl_bump server-first all
sslproxy_cafile /etc/ssl/cert.pem
#sslproxy_cert_error allow all
#sslproxy_flags DONT_VERIFY_PEER
The /etc/ssl/cert.pem file distributed with openbsd 5.6 has 44 root ca's
listed (see below).
Is there anyway to get squid to tell me which CA is unknown? If so I can
get that CA file and add it in. Or is there a place to get a good
rootca.pem file? Or is something else wrong?
Thanks muchly for helping the newbie.
Alan
the openbsd5.6 cert.pem contains the following issuers/certificates:
# grep Issuer /etc/ssl/cert.pem
Issuer: C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions,
Inc., CN=G
TE CyberTrust Global Root
Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary
Certification
Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only,
OU=VeriSig
n Trust Network
Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
Issuer: OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
Issuer: OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign
Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting
cc, OU=C
ertification Services Division, CN=Thawte Premium Server
CA/emailAddress=premium
-server at thawte.com
Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting
cc, OU=C
ertification Services Division, CN=Thawte Server
CA/emailAddress=server-certs at th
awte.com
Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary
Certification
Authority
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network,
OU=(c) 2006 V
eriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public
Primary Cert
ification Authority - G5
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network,
OU=(c) 1999 V
eriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public
Primary Cert
ification Authority - G3
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network,
OU=(c) 2007 V
eriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public
Primary Cert
ification Authority - G4
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network,
OU=(c) 2008 V
eriSign, Inc. - For authorized use only, CN=VeriSign Universal Root
Certificatio
n Authority
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network,
OU=(c) 1999 V
eriSign, Inc. - For authorized use only, CN=VeriSign Class 4 Public
Primary Cert
ification Authority - G3
Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate
Signing, CN
=StartCom Certification Authority
Issuer: L=ValiCert Validation Network, O=ValiCert, Inc.,
OU=ValiCert Class 2 Policy Validation Authority,
CN=http://www.valicert.com//emailAddress=info@valicert.com
Issuer: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by
ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net
Secure Server Certification Authority
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert
High Assurance EV Root CA
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert
Assured ID Root CA
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert
Global Root CA
Issuer: C=US, O=Equifax Secure Inc., CN=Equifax Secure Global
eBusiness CA-1
Issuer: C=US, O=Equifax Secure Inc., CN=Equifax Secure
eBusiness CA-1
Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA 2
Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Primary
Certification Authority
Issuer: C=US, O=GeoTrust Inc., OU=(c) 2008 GeoTrust Inc. - For
authorized use only, CN=GeoTrust Primary Certification Authority - G3
Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA
Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA 2
Issuer: C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2
Certification Authority
Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc.,
CN=Go Daddy Root Certificate Authority - G2
Issuer: C=US, O=Starfield Technologies, Inc., OU=Starfield
Class 2 Certification Authority
Issuer: C=US, ST=Arizona, L=Scottsdale, O=Starfield
Technologies, Inc., CN=Starfield Root Certificate Authority - G2
Issuer: C=US, ST=Arizona, L=Scottsdale, O=Starfield
Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2
Issuer: C=IL, O=StartCom Ltd., CN=StartCom Certification
Authority G2
Issuer: C=US, O=thawte, Inc., OU=Certification Services
Division, OU=(c) 2006 thawte, Inc. - For authorized use only, CN=thawte
Primary Root CA
Issuer: C=US, O=thawte, Inc., OU=(c) 2007 thawte, Inc. - For
authorized use only, CN=thawte Primary Root CA - G2
Issuer: C=US, O=thawte, Inc., OU=Certification Services
Division, OU=(c) 2008 thawte, Inc. - For authorized use only, CN=thawte
Primary Root CA - G3
Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network,
CN=AddTrust External CA Root
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA
Limited, CN=AAA Certificate Services
Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network,
OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware
Issuer: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore
CyberTrust Root
Issuer: C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center,
CN=Deutsche Telekom Root CA 2
Issuer: C=DE, O=T-Systems Enterprise Services GmbH,
OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 2
Issuer: C=DE, O=T-Systems Enterprise Services GmbH,
OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 3
More information about the squid-users
mailing list