[squid-users] How to suppress SQUID_X509_V_ERR_DOMAIN_MISMATCH error for known domains?

Yuri Voinov yvoinov at gmail.com
Sat Mar 26 20:01:32 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
Found and solved.

root @ cthulhu / # openssl s_client -connect fe2.update.microsoft.com:443
CONNECTED(00000003)
depth=1 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation,
CN = Microsoft Update Secure Server CA 2.1
verify error:num=20:unable to get local issuer certificate
verify return:0
- ---
Certificate chain
 0
s:/C=US/ST=Washington/L=Redmond/O=Microsoft/OU=DSP/CN=fe2.update.microsoft.com
   i:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft
Update Secure Server CA 2.1
 1 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft
Update Secure Server CA 2.1
   i:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft
Root Certificate Authority 2011
- ---
Server certificate
- -----BEGIN CERTIFICATE-----
MIIF5TCCA82gAwIBAgITMwAAAFRKWJwXUQHpvwAAAAAAVDANBgkqhkiG9w0BAQsF
ADCBhDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT
B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEuMCwGA1UE
AxMlTWljcm9zb2Z0IFVwZGF0ZSBTZWN1cmUgU2VydmVyIENBIDIuMTAeFw0xNTEy
MTYxOTM4MDdaFw0xNjA1MTYxOTM4MDdaMHkxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMRIwEAYDVQQKEwlNaWNyb3Nv
ZnQxDDAKBgNVBAsTA0RTUDEhMB8GA1UEAxMYZmUyLnVwZGF0ZS5taWNyb3NvZnQu
Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt9yv6P/FzJvxW5Wx
/klFQ1o9BO0qyAr7u5nYeLbGiwnVOSj8qIZ6t4GoqHq6spDGuqFfRF0u/eeZY0bq
hncHjJHm4YZ9KHOvhObBJ0fHbTyyyXRYxHe1rk+4o4M1SszvAviY2zGKvc6Euik9
p3erPxocB2nwbEn82JkNxS0UjcmKpUDmFNYMe5O+MJ3ngKCv62SbmJXAH3ZWq7yJ
xNTgQjrXCKHxVDmC2TrC2f7/35gGH3OksOthD9zCkKTw+y+pJ0n3AO7ahrdj+pB4
uyQzb0K077xeAIY54eoTuhL2d3vDCDwt4m0YJccl464IGjtF99nt8DlRriGig5Wg
T8+28QIDAQABo4IBWDCCAVQwDgYDVR0PAQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsG
AQUFBwMBMB0GA1UdDgQWBBRf9/DNbWTCucVV/ag9JpVQ+JLldjAfBgNVHSMEGDAW
gBTS8j2EdIYbUIWqXeWlB5rwR9MuaTBoBgNVHR8EYTBfMF2gW6BZhldodHRwOi8v
d3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNyb3NvZnQlMjBVcGRhdGUl
MjBTZWN1cmUlMjBTZXJ2ZXIlMjBDQSUyMDIuMS5jcmwwdQYIKwYBBQUHAQEEaTBn
MGUGCCsGAQUFBzAChllodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2Nl
cnRzL01pY3Jvc29mdCUyMFVwZGF0ZSUyMFNlY3VyZSUyMFNlcnZlciUyMENBJTIw
Mi4xLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQBGJdsEVpCN
VD7PUYDopBFCAN/t8n4TZ4Y8lQvdT4qtWFKvucqNR2clZnXg3KB0D7V8/lr4kqGi
8t089SuSnnEnIREQhrf3KMryJZiU/5dt9UejThYYrjoVtFOGXhQit7fG2lQyOp9a
riHf+OuXAv6UZXW2Ina6vUcxWk7GrupSDdWfROv1ZUUEj5wmbJGOfh/Oc7Nkzbnj
wLl62h9hix4fwP8XdKp2uWXAkPjgjAH3SK9wDSOm5L6hR9crbUikowoEC5XYX+gh
8kTED8kaSbVoyGIDR+gTtm7F4S99W8ecI2GSeZkhawFC3lbtpE9P5LfrStSJL809
yUWUCwo1xTz12Iwo8PXZk8XiId+f/KxxFMNjMDG/FZRUFfNMWU10ijqBlI4Nlovk
pV9Fhpfny75cScJNZLij5FFiLHZuYzfGhejDBmpXweBpV6VLe9RNoLHmgBVTjYBa
nzLa6r0M3ICnXCtX8h5JNcOPhvBFb43Z6+6CQP6jM2SqXSQUg3TwArBe0deaoYCI
fJpJJTKqo88FeURLpgfemPa3sXXUKqKWglYejkCYM6Kk8IPAa8w3JnsGWg5F5MJa
8zp43RouY5+VBZLAF+B1HZGEwyEXUhzZshl9QAmMs9YrXooFqP9rnyAP8ehNQdmC
Tl1/2ofmuAUavN8AQfh1Jn8Nm+hPnADN+w==
- -----END CERTIFICATE-----
subject=/C=US/ST=Washington/L=Redmond/O=Microsoft/OU=DSP/CN=fe2.update.microsoft.com
issuer=/C=US/ST=Washington/L=Redmond/O=Microsoft
Corporation/CN=Microsoft Update Secure Server CA 2.1
- ---
No client certificate CA names sent
- ---
SSL handshake has read 3503 bytes and written 649 bytes
- ---
New, TLSv1/SSLv3, Cipher is AES128-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES128-SHA256
    Session-ID:
7B4C0000F911C68C6B1C235D7E5DB1C001A481D27EF8B594EB7F60A73904A4A7
    Session-ID-ctx:
    Master-Key:
7BC9333DDD64858E393E2837FF645DB131A868322766771BDF4EBD3AE49A0AD422852AC787008F0A0CD60BC8EA5A0E75
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1459021942
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
- ---
read:errno=131

The damned M$ uses intermediate CA which is absent in CA bundle by
default on fe2.update.microsoft.com.

In additional with Akamai CN mismatch.

Thanks all!

26.03.16 23:25, Alex Rousskov пишет:
> On 03/26/2016 04:53 AM, Yuri Voinov wrote:
>> http://i.imgur.com/kxrOEVd.png
>>
>> How to suppress this? It stops WU right now.
>
>
> Does the ssl::certDomainMismatch ACL work to bypass the
> SQUID_X509_V_ERR_DOMAIN_MISMATCH error?
>
> If not, then just as a triage experiment (and not for production use!),
> does the following bypass the SQUID_X509_V_ERR_DOMAIN_MISMATCH error?
>
>   sslproxy_cert_error allow all
>
>
> Alex.
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJW9uqcAAoJENNXIZxhPexG5r0IAM0zyUJBKlc1u3R7L95okKar
eFD58vpIEisgsCDnwIrpNBrXOKrTH0naJ8Vo+PFnoAw37eL1NMJ9v4qTra/e6p1N
943L2oII224vz2fTpIsOW0dog5BG2fXFSZkNH2rtHCH67pebMwPujWlbDeeU52vd
lFGk4XLvSGx+odzeirwR3WaA2A9RD3H4QhyBFHJgRHYSVdUTUorLRqSKNJam6oOM
8woZO/SR6CVxPGMX8ZNGwBm2+CWFeEDt8Ro6JO7lVYt0wznJJx81ya5Qqk/tEVAz
iapSAnuLmAYOiwAr6SzpgTMs7/z91QkangUmWL5X8ILOJtg0sogFtGM9S14+4U4=
=ob+K
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160327/64167343/attachment.key>


More information about the squid-users mailing list