[squid-users] SSL3_READ_BYTES:sslv3 alert certificate unknown

Alex Rousskov rousskov at measurement-factory.com
Wed Oct 28 21:29:25 UTC 2015


On 10/28/2015 08:09 AM, Yuri Voinov wrote:

> At a minimum, it should write the information on them in the log - in
> an understandable form

I suspect everybody agrees with that statement. I am sure this will be
implemented eventually. No need to argue about that.

Alex.



> 28.10.15 19:55, Amos Jeffries пишет:
>> On 28/10/2015 11:57 p.m., Yuri Voinov wrote:
>>>
>>>
>>> 28.10.15 16:47, Amos Jeffries пишет:
>>>> On 28/10/2015 11:35 p.m., Yuri Voinov wrote:
>>>>> Hi gents.
>>>>>
>>>>> I think, all of you who use Bump, seen much this messages in your
>>>>> cache.log.
>>>>>
>>>>> SSL3_READ_BYTES:sslv3 alert certificate unknown
>>>>>
>>>>> AFAIK, no way to identify which CA is absent in your setup.
>>>>>
>>>>> I propose to consider the following questions: how do properly support
>>>>> SSL proxy, if you can not identify the problem certificates? Telepaths
>>>>> sunbathing in Bali. The procedure, which currently can not quickly and
>>>>> in any way to effectively determine such a certificate.
>>>>>
>>>>> At the moment, the situation is as follows. SSL library - a thing in
>>>>> itself, it runs by itself and does not write any logs. Squid - itself
>>>>> and any useful information on the library does not receive but obscure
>>>>> diagnostic messages. The possibility in any way specify the SSL library
>>>>> diagnostic messages we have, and, as I understand it, will not.
>>>>>
>>>>> So, any ideas?
>>>> Make sure Squid is sending the whole CA chain to the remote end?
>>> I think so, "From the remote end". If we have web-server with CA, which
>>> is not exists on our proxy, we must install it (which means "trust
>>> them", yea?) in our proxy manually.
>>>
>>> I have idiotic idea - Squid fetch remote CA and offer us to trust and
>>> install interactively. :) This is, of course, clinically idiotism. :)
>>>
> 
>> That is what the Browsers do. It has been suggested to write a cert
>> validator that does it too.
> 
> 
>>> But - to support real Squid installation with thoursands users, I really
>>> want to know, which CA's not exists from my side.
>>>
>>> Intermediate CA's is no matter - if we have root CA already, fetch
>>> intermediate chain is not big problem.
>>>
>>> In this case, however, we faced unknown root CA exactly.
>>>
>>> Yes?
> 
>> I doubt. Chains do not have length limits and IIRC you can't know that
>> it is a root CA until you actually have it and see that it is
>> self-signed. At which point it is not "certificate unknown" anymore.
> 
>> What is missing is just some CA in the chain. It needs to be located
>> somehow, only then can the decision happen about whether to trust or not
>> and see if another up the chain is needed too.
> 
> 
>>>
>>> And so what?
> 
>> So by walking the chain and filling in as needed the cert validator
>> helper can probably fill the whole sequence in and reach a root CA that
>> is already trusted and tells you the found ones can be too. That is what
>> the Browsers do.
> 
> 
>> Amos
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 



More information about the squid-users mailing list