[squid-users] TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?

Yuri yvoinov at gmail.com
Thu Sep 7 21:19:51 UTC 2017



08.09.2017 3:14, L A Walsh пишет:
> Got an error message from squid where I'm doing https-bumping:
>
> --------------------------
> The following error was encountered while trying to retrieve the URL:
> https://help.ea.com/
>
>    *Failed to establish a secure connection to 52.0.220.87*
>
> The system returned:
>
>    (71) Protocol error (TLS code:
> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>
>    SSL Certficate error: certificate issuer (CA) not known:
>    /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
>    Class 3 Secure Server CA - G4
>
> This proxy and the remote host failed to negotiate a mutually
> acceptable security settings for handling your request. It is possible
> that the remote host does not support secure connections, or the proxy
> is not satisfied with the host security credentials.
>
> --------------------------------
>
> Googling found:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Howto-fix-X509-V-ERR-UNABLE-TO-GET-ISSUER-CERT-LOCALLY-Squid-error-td4682015.html
>
>
> Used openssl.com to get the intermediate certs (2 hosts are referenced
> in parallel chains).  The two certs looked like:
>
> -----BEGIN CERTIFICATE-----
> ...hexstuff==
> -----END CERTIFICATE-----
>
>
> Added the certs to a file and that filename to my squid.conf on a line:
>
> sslproxy_foreign_intermediate_certs /etc/squid/ssl_intermediates/cert.pem
>
> restarted squid, but am still getting same error.
>
> Am I missing some obvious step?
Yup :)

#  TAG: sslproxy_foreign_intermediate_certs
#    Many origin servers fail to send their full server certificate
#    chain for verification, assuming the client already has or can
#    easily locate any missing intermediate certificates.
#
#    Squid uses the certificates from the specified file to fill in
#    these missing chains when trying to validate origin server
#    certificate chains.
#
#    The file is expected to contain zero or more PEM-encoded
#    intermediate certificates. These certificates are not treated
#    as trusted root certificates, and any self-signed certificate in
#    this file will be ignored.
#Default:
# none

>
> Looking for a clue... ;-)
https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit?highlight=%28Ssl%29%7C%28Bump%29%7C%28explicit%29#Missing_intermediate_certificates
>
> Thanks!
> -l
>
>
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170908/10ccf9f7/attachment-0001.sig>


More information about the squid-users mailing list