[squid-users] sometimes intermediate certificates were not downloaded when using sslbump
L.P.H. van Belle
belle at bazuin.nl
Wed Apr 8 11:48:14 UTC 2020
This is a simple one.
The certificate chain of that website is incorrect.
As shown here : https://www.ssllabs.com/ssltest/analyze.html?d=www.formulare%2dbfinv.de&latest
Check you webserver first and correct you ciphers in your apache webserver.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: squid-users
> [mailto:squid-users-bounces at lists.squid-cache.org] Namens Dieter Bloms
> Verzonden: woensdag 8 april 2020 13:37
> Aan: squid-users at lists.squid-cache.org
> Onderwerp: [squid-users] sometimes intermediate certificates
> were not downloaded when using sslbump
>
> Hello,
>
> I use a self compiled squid 4.10 compiled as follow:
>
> ~# squid --version
> Squid Cache: Version 4.10
> Service Name: squid
>
> This binary uses OpenSSL 1.1.1d 10 Sep 2019. For legal
> restrictions on distribution see
> https://www.openssl.org/source/license.html
>
> configure options: '--prefix=/usr' '--sysconfdir=/etc/squid'
> '--bindir=/usr/sbin' '--sbindir=/usr/sbin'
> '--localstatedir=/var' '--libexecdir=/usr/sbin'
> '--datadir=/usr/share/squid' '--mandir=/usr/share/man'
> '--with-default-user=squid' '--with-filedescriptors=131072'
> '--with-logdir=/var/log/squid' '--disable-auto-locale'
> '--disable-auth-negotiate' '--disable-auth-ntlm'
> '--disable-eui' '--disable-carp' '--disable-htcp'
> '--disable-ident-lookups' '--disable-loadable-modules'
> '--disable-translation' '--disable-wccp' '--disable-wccpv2'
> '--enable-async-io=128' '--enable-auth'
> '--enable-auth-basic=LDAP NCSA' '--enable-auth-digest=LDAP
> file' '--enable-epoll' '--enable-log-daemon-helpers=file'
> '--enable-icap-client' '--enable-inline' '--enable-snmp'
> '--enable-disk-io=AIO,DiskThreads,IpcIo,Blocking'
> '--enable-storeio=ufs,aufs,rock' '--enable-referer-log'
> '--enable-useragent-log' '--enable-large-cache-files'
> '--enable-removal-policies=lru,heap'
> '--enable-follow-x-forwarded-for' '--enable-ssl-crtd' '--with-openssl'
>
> in squid.conf I set following acl at the very benning of acl section:
>
> # allow fetching of missing intermediate certificates
> acl fetch_intermediate_certificate transaction_initiator
> certificate-fetching
> cache allow fetch_intermediate_certificate
> cache deny all
> http_access allow fetch_intermediate_certificate
>
> and squid fetches intermediate certificates for websites
> like: https://incomplete-chain.badssl.com/
> But squid doesn't fetch the intermediate certificates for the
> site https://www.formulare-bfinv.de/
> and I don't know why.
>
> I checked all AiA entries in the certificates and it looks good to me.
>
> Can anybody try the site https://www.formulare-bfinv.de/ with
> enabled sslbump,
> so I can see whether my installation is broken or the
> webserver configuration isn't correct ?
>
> Thank you very much.
>
> --
> Best regards
>
> Dieter Bloms
>
> --
> I do not get viruses because I do not use MS software.
> If you use Outlook then please do not put my email address in your
> address-book so that WHEN you get a virus it won't use my
> address in the
> From field.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
More information about the squid-users
mailing list