[squid-users] SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Amos Jeffries
squid3 at treenet.co.nz
Tue Sep 5 11:01:59 UTC 2017
On 05/09/17 04:20, erdosain9 wrote:
> Hi.
> Im having a lot of this in cache.log... is this normal?? The https is access
> is working fine... but i have those error.
>
> 2017/09/04 13:10:58 kid1| Error negotiating SSL on FD 467:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify
> failed (
> 1/-1/0)
Yes and no. "Normal" is relative to why it is happening.
eg if your network is under attack it is "normal" to see signs like
this, but hardly desirable.
On the other hand if the CA certificate being verified has expired or
revoked it is both normal and desirable to see these instead of letting
the traffic though. Opinions on that differ a lot though.
* Check that your Squid machines ca-certificates are up to date with the
latest ones available. That can make your proxy unable to deal with CA
changes unless you stay up to date. Regular updates are on the order of
weeks, but can happen with no notice if any CA is breached or goes rogue.
* Check that your crypto library is also the latest available. Some
types of change in TLS extensions can lead to cert errors if the library
does not understand what fields in the server cert mean. This also helps
prevent many cipher related errors.
* Take a closer look at the HTTP(S) transaction using the mentioned FD
number. That may need a section 11,2 trace to see the URL and server
names and/or IP. See if the openssl command line tools can tell you what
is non-verifiable about the server cert.
* If it turns out to be an intermediary cert not known by Squid, check
carefully whether you actually want to trust it. If so you can use
sslproxy_foreign_intermediate_certs to load it explicitly (or Squid-4
should auto-download as needed).
<http://www.squid-cache.org/Doc/config/sslproxy_foreign_intermediate_certs/>
It is rarely any other type of occurance that can be solved by Squid.
The above should provide some clues to further debugging if necessary.
Amos
More information about the squid-users
mailing list