[squid-users] Squid SSL Bump

Amos Jeffries squid3 at treenet.co.nz
Sat Apr 23 03:51:07 UTC 2016


On 23/04/2016 7:02 a.m., Zee wrote:
> I am doing SSL bump it seems like Squid utilizes openssl library. I went ahead and updated openssl library to reflect new CA certificates, but it still fails to work and I see the following error.
> "The system returned:
> (71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)"
> Upgraded the library with the following yum install ca-certificates
> 
> --> Running transaction check
> ---> Package ca-certificates.noarch 0:2014.1.98-65.1.el6 will be updated
> ---> Package ca-certificates.noarch 0:2015.2.6-65.0.1.el6_7 will be an update
> 

The date in that package name (Feb 2015) seems to still be very old. IME
the global CA certs list changes every month or two. Particularly in the
past year when all CA have been rolling over to 2048 or 4096 bit crypto.

> But it still fails to work.
> 

Squid version?
 The latest 4.0.9 (beta) and 3.5.17 releases contain several bug fixes
to intermediate cert handling that might show up like this.


What CA certificate can't be found?
 If needed you can always workaround it by loading the CA cert into
Squid explicitly.

Amos



More information about the squid-users mailing list