[squid-users] A bunch of SSL errors I am not sure why
Amos Jeffries
squid3 at treenet.co.nz
Wed Jan 18 16:05:53 UTC 2017
On 19/01/2017 3:29 a.m., Sameh Onaissi wrote:
> Hello Eliezer, all
>
> Sorry for the late reply.
>
> When I configure the browser to access a non intercept port, the errors do not show up and the site is accessed without a problem.
>
> The client machine has the .crt file installed, but still shows the error.
>
> Other pages with errors:
> http://pasteboard.co/nA20FD7om.png
> http://pasteboard.co/nA2yWRyTE.png
>
> Here is the second page in a browser without an intercepted port:
> http://pasteboard.co/nA39CEFGU.png
>
>
> Thanks in advance.
> Some of these sites are used to pay company bills, so it’s important to get this issue resolves ASAP.
I assume from that first part that the most important of these sites are
a small enough set to deal with as a special case without becoming a
maintenance nightmare.
The error messages both show that Squid at least cannot find one of the
CA required to verify the servers cert.
Soo...
you can probably use the openssl client tool to identify and fetch the
certs manually; then
1a) add the root CA (only if needed) into your machines global CA set,
1b) add any intermediary certs to the file Squid loads through
sslproxy_foreign_intermediate_certs directive.
<http://www.squid-cache.org/Doc/config/sslproxy_foreign_intermediate_certs/>
OR
2) create a cache_peer to the domains server port 443, using the
originserver option and sslcafile= option to specify what its CA chain
is supposed to be.
<http://www.squid-cache.org/Doc/config/cache_peer/>
> Worth mentioning that this was not a problem about 10 days ago.
Nod, these types of things can appear out of nowhere as servers certs
expire or get blacklisted, ciphers etc suddenly get rejected by browsers
as insecure. TLS advocates deny it, but F*ups happen far too often in
reality when dealing with certs.
>
>
> * Try the latest Squid-4, which can auto-download intermediate certificates.
>
> Is squid-4 stable for production?
>
Sorry I missed this in your earlier post.
Well strictly speaking no. It still has a handful of critical bugs to be
tracked down and quashed. But whether those affect you, or if they do
whether its worth an occasional crash to avoid these SSL isues is a
different matter.
Amos
More information about the squid-users
mailing list