[squid-users] squid doesn't fetch the intermediate certificate for some sites
Dieter Bloms
squid.org at bloms.de
Tue Jul 21 07:41:12 UTC 2020
Hello,
we use the sslbump feature and it works very well.
But some sites can't be reached because of missing intermediate
certificate.
In squid.conf we have configured the following parameters:
--snip--
# allow fetching of missing intermediate certificates
acl fetch_intermediate_certificate transaction_initiator certificate-fetching
http_access allow fetch_intermediate_certificate
cache allow fetch_intermediate_certificate
cache deny all
--snip--
and fetching the intermediate certificate works for sites like: https://incomplete-chain.badssl.com/
but for some sites like https://mycase.cloudapps.cisco.com/
squid doesn't fetch the intermediate certificate and returns X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
In my eyes the certificate of mycase.cloudapps.cisco.com contains an AiA
record.
output of openssl on certificate of mycase.cloudapps.cisco.com
--snip--
Authority Information Access:
CA Issuers - URI:http://trust.quovadisglobal.com/hydsslg2.crt
OCSP - URI:http://ocsp.quovadisglobal.com
--snip--
so does anybody see what's the reason, why squid doesn't download the
intermediate certificate for mycase.cloudapps.cisco.com ?
--
Regards
Dieter Bloms
--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.
More information about the squid-users
mailing list