[squid-users] squid doesn't fetch the intermediate certificate for some sites
Matus UHLAR - fantomas
uhlar at fantomas.sk
Tue Jul 21 08:59:49 UTC 2020
On 21.07.20 09:41, Dieter Bloms wrote:
>we use the sslbump feature and it works very well.
>But some sites can't be reached because of missing intermediate
>certificate.
>
>In squid.conf we have configured the following parameters:
>
>--snip--
># allow fetching of missing intermediate certificates
>acl fetch_intermediate_certificate transaction_initiator certificate-fetching
>http_access allow fetch_intermediate_certificate
>cache allow fetch_intermediate_certificate
>cache deny all
>--snip--
>
>and fetching the intermediate certificate works for sites like: https://incomplete-chain.badssl.com/
>
>but for some sites like https://mycase.cloudapps.cisco.com/
>squid doesn't fetch the intermediate certificate and returns X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
>
>In my eyes the certificate of mycase.cloudapps.cisco.com contains an AiA
>record.
>
>output of openssl on certificate of mycase.cloudapps.cisco.com
>--snip--
> Authority Information Access:
> CA Issuers - URI:http://trust.quovadisglobal.com/hydsslg2.crt
> OCSP - URI:http://ocsp.quovadisglobal.com
>--snip--
>
>so does anybody see what's the reason, why squid doesn't download the
>intermediate certificate for mycase.cloudapps.cisco.com ?
squid can't download certificates other than the website provides.
if a website does not provide valid certificate chain, it's up to the client
to produce an error. With browser, you can allow the certificate explicitly.
It is also possible that browser has the intermediace certificate
remembered.
testing certificate for mycase.cloudapps.cisco.com shows only one
certificate I can see:
Certificate chain
0 s:C = US, ST = California, L = San Jose, O = "Cisco Systems, Inc.", CN = mycase.cloudapps.cisco.com
i:C = US, O = HydrantID (Avalanche Cloud Corporation), CN = HydrantID SSL ICA G2
the HydrantID SSL ICA G2 certificate seems to be missing here.
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows 2000: 640 MB ought to be enough for anybody
More information about the squid-users
mailing list