[squid-users] SSL3_GET_SERVER_CERTIFICATE failed
Amos Jeffries
squid3 at treenet.co.nz
Thu Dec 7 08:14:35 UTC 2017
On 07/12/17 20:47, G~D~Lunatic wrote:
> my squid is a transparent proxy.
> the cache.log shows that
> 2017/12/07 15:42:53 kid1| Error negotiating SSL connection on FD 175:
> Closed by client
> 2017/12/07 15:42:54 kid1| Error negotiating SSL on FD 95:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed (1/-1/0)
> 2017/12/07 15:42:55 kid1| Error negotiating SSL connection on FD 124:
> Closed by client
> 2017/12/07 15:42:56 kid1| Error negotiating SSL on FD 52:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed (1/-1/0)
>
>
> what's the problem? thank you
Four log lines talking about four different connections (FD's).
Two of them are "Closed by client".
Two of them "certificate verify failed" for the remote server certificate.
For those server certificates the relevant options are the sslproxy_* or
tls_outgoing_options directives in your squid.conf.
* Maybe your system CA certificates are outdated, check for that and update.
* Maybe the server cert is missing intermediates certs from its chain.
In Squid-3.5 use sslproxy_foreign_intermediate_certs to inform squid of
extra intermediate certs that might be missing.
* Maybe the server cert is actually invalid. That happens a lot,
especially on dodgy traffic.
Amos
More information about the squid-users
mailing list