[squid-users] tlsv1 alert errors

Alan Palmer alanpalmer72 at yahoo.com
Mon Feb 23 19:49:28 UTC 2015 

So I got squid to intercept http and https traffic, but I get the 
following error on any https access

2015/02/23 12:50:15 kid1| clientNegotiateSSL: Error negotiating SSL 
connection o
n FD 28: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown 
ca (1/0
)

This of course leads to all kinds of site untrusted/compromised errors 
in client browsers.

 From looking in the archives this usually occurs because of a 
missing/outdated root CA file.
I have the following liness in squid.conf

https_port 127.0.0.1:3127 intercept ssl-bump \
   generate-host-certificates=on \
   dynamic_cert_mem_cache_size=16MB \
   cert=/etc/squid/ssl_cert/MyCA.pem\
   cafile=/etc/ssl/cert.pem # tried without the cafile cirective here as 
well


https_port [::1]:3127 intercept ssl-bump \
   generate-host-certificates=on \
   dynamic_cert_mem_cache_size=16MB \
   cert=/etc/squid/ssl_cert/MyCA.pem\
   cafile=/etc/ssl/cert.pem #tried without the cafile directive here as well

#
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /data/squid/ssl_db 
-M 16MB
sslcrtd_children 10
always_direct allow all
sslproxy_cert_error allow all
ssl_bump server-first all
sslproxy_cafile /etc/ssl/cert.pem
#sslproxy_cert_error allow all
#sslproxy_flags DONT_VERIFY_PEER

The /etc/ssl/cert.pem file distributed with openbsd 5.6 has 44 root ca's 
listed (see below).

Is there anyway to get squid to tell me which CA is unknown? If so I can 
get that CA file and add it in.  Or is there a place to get a good 
rootca.pem file? Or is something else wrong?

Thanks muchly for helping the newbie.

Alan

the openbsd5.6 cert.pem contains the following issuers/certificates:
# grep Issuer /etc/ssl/cert.pem
         Issuer: C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, 
Inc., CN=G
TE CyberTrust Global Root
         Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
         Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary 
Certification
Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, 
OU=VeriSig
n Trust Network
         Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
         Issuer: OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
         Issuer: OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign
         Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting 
cc, OU=C
ertification Services Division, CN=Thawte Premium Server 
CA/emailAddress=premium
-server at thawte.com
         Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting 
cc, OU=C
ertification Services Division, CN=Thawte Server 
CA/emailAddress=server-certs at th
awte.com
         Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary 
Certification
Authority
         Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, 
OU=(c) 2006 V
eriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public 
Primary Cert
ification Authority - G5
         Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, 
OU=(c) 1999 V
eriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public 
Primary Cert
ification Authority - G3
         Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, 
OU=(c) 2007 V
eriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public 
Primary Cert
ification Authority - G4
         Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, 
OU=(c) 2008 V
eriSign, Inc. - For authorized use only, CN=VeriSign Universal Root 
Certificatio
n Authority
         Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, 
OU=(c) 1999 V
eriSign, Inc. - For authorized use only, CN=VeriSign Class 4 Public 
Primary Cert
ification Authority - G3
         Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate 
Signing, CN
=StartCom Certification Authority
         Issuer: L=ValiCert Validation Network, O=ValiCert, Inc., 
OU=ValiCert Class 2 Policy Validation Authority, 
CN=http://www.valicert.com//emailAddress=info@valicert.com
         Issuer: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by 
ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net 
Secure Server Certification Authority
         Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert 
High Assurance EV Root CA
         Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert 
Assured ID Root CA
         Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert 
Global Root CA
         Issuer: C=US, O=Equifax Secure Inc., CN=Equifax Secure Global 
eBusiness CA-1
         Issuer: C=US, O=Equifax Secure Inc., CN=Equifax Secure 
eBusiness CA-1
         Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
         Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA 2
         Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Primary 
Certification Authority
         Issuer: C=US, O=GeoTrust Inc., OU=(c) 2008 GeoTrust Inc. - For 
authorized use only, CN=GeoTrust Primary Certification Authority - G3
         Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA
         Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA 2
         Issuer: C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 
Certification Authority
         Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., 
CN=Go Daddy Root Certificate Authority - G2
         Issuer: C=US, O=Starfield Technologies, Inc., OU=Starfield 
Class 2 Certification Authority
         Issuer: C=US, ST=Arizona, L=Scottsdale, O=Starfield 
Technologies, Inc., CN=Starfield Root Certificate Authority - G2
         Issuer: C=US, ST=Arizona, L=Scottsdale, O=Starfield 
Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2
         Issuer: C=IL, O=StartCom Ltd., CN=StartCom Certification 
Authority G2
         Issuer: C=US, O=thawte, Inc., OU=Certification Services 
Division, OU=(c) 2006 thawte, Inc. - For authorized use only, CN=thawte 
Primary Root CA
         Issuer: C=US, O=thawte, Inc., OU=(c) 2007 thawte, Inc. - For 
authorized use only, CN=thawte Primary Root CA - G2
         Issuer: C=US, O=thawte, Inc., OU=Certification Services 
Division, OU=(c) 2008 thawte, Inc. - For authorized use only, CN=thawte 
Primary Root CA - G3
         Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, 
CN=AddTrust External CA Root
         Issuer: C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA 
Limited, CN=AAA Certificate Services
         Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, 
OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware
         Issuer: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore 
CyberTrust Root
         Issuer: C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center, 
CN=Deutsche Telekom Root CA 2
         Issuer: C=DE, O=T-Systems Enterprise Services GmbH, 
OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 2
         Issuer: C=DE, O=T-Systems Enterprise Services GmbH, 
OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 3

More information about the squid-users mailing list