[squid-users] Squid 4 and missing intermediate certs

Alex Rousskov rousskov at measurement-factory.com
Fri Jan 26 17:50:50 UTC 2018


On 01/26/2018 02:30 AM, Alex Crow wrote:

> I've just set up a new SSL interception proxy using peek/splice/bump
> using squid 4.0.22 and I'm getting SSL errors on some site indicating
> missing intermediate certs as described here:
> 
> https://blog.diladele.com/2015/04/21/fixing-x509_v_err_unable_to_get_issuer_cert_locally-on-ssl-bumping-squid/
> 
> I have read the wiki and I see this on the SslBumpExplicit page:
> 
> "Squid-4 <https://wiki.squid-cache.org/Squid-4> is capable of
> downloading missing intermediate CA certificates, like popular browsers do."
> 
> However I'm finding that I have to follow the procedure in the diladele
> article and manually install the intermediate certs into the PKI trust
> to work around this.


Several cases are possible here:

1. Squid is missing the root certificate used by the origin server.
Neither Squid nor browsers can fetch root certificates automatically
(for hopefully obvious reasons).

2. Squid is missing an intermediate certificate used by the origin
server, and the origin server provided no instructions on how to fetch
that missing certificate automatically. Neither Squid (for sure) nor
browsers (AFAIK) can fetch missing intermediate certificates
automatically if they are not given origin server instructions of where
to get them. Those instructions are usually given as various extension
fields in signed certificates.

3. Squid is missing an intermediate certificate used by the origin
server, the origin server provided instructions on how to fetch that
missing certificate automatically, but Squid does not understand/support
those instructions. There are several instruction formats/variants, and
Squid does not support some of them. Please consider adding that support
to Squid (requires writing code or sponsoring development).

4. Squid is missing an intermediate certificate used by the origin
server, the origin server provided instructions on how to fetch that
missing certificate automatically, Squid followed those instructions,
but something went wrong. Study detailed Squid debugging logs or post
them for analysis by others.

You need to study each error to understand which case applies to it.

To make matters worse, a combination of #1 and other cases is possible:
Sometimes, automatically fetching a missing certificate leads to
certificate validation problems that could have been avoided if Squid
had the right (and different) trusted certificate in the first place:
https://github.com/squid-cache/squid/commit/9ef7d9d5ddef54283cea4f1fdb7b3bbc1715755c


I doubt Squid logs enough information (by default) to quickly and easily
distinguish the four cases for a given error -- you may need to study
the origin server certificates and Squid logs. For example, #4 should
manifest itself as access.log errors associated with failed certificate
fetching requests.


As the solution for #1-2 or workaround for #3-4, if you trust the
missing certificate, manually add it to your trust store (which is what
you were doing).


HTH,

Alex.


More information about the squid-users mailing list