[squid-users] X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY error with transparent proxy configured with peek and splice
Sébastien Damaye
sebastien at damaye.fr
Mon Apr 4 17:11:56 UTC 2016
Hi community,
I have setup Squid as transparent proxy (iptable is taking care of
redirecting 80/tcp and 443/tcp traffic to Squid) with peek and splice on
a Debian Jessie server to perform SSL inspection. Below is the
interesting part of my squid.conf file:
http_port 3130
http_port 3128 intercept
https_port 3129 intercept ssl-bump \
cert=/etc/squid/ssl_cert/myCA.pem \
generate-host-certificates=on \
dynamic_cert_mem_cache_size=4MB \
options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE \
dhparams=/etc/squid/ssl_cert/dhparam.pem
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl nobumpSites ssl::server_name "/etc/squid/domain.nobump"
ssl_bump peek step1 all
ssl_bump peek step2 nobumpSites
ssl_bump splice step3 nobumpSites
ssl_bump bump
sslproxy_cipher
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
The SSL inspection works fine for the majority of the websites (I
populate domain.nobump with some domains from time to time) but I had a
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY error that I'm not able to
fix while visiting https://blog.kaspersky.com. I have added
".blog.kaspersky.com" in my domain.nobump file but I still can't visit
the website.
Could you please help? Many thanks in advance for your inputs.
--
Cordialement/Regards,
Sébastien Damaye
PGP keyID: 0x59B1D7DE
More information about the squid-users
mailing list