[squid-users] squid doesn't fetch the intermediate certificate for some sites
Dieter Bloms
squid.org at bloms.de
Tue Jul 21 09:18:33 UTC 2020
Hello Matus,
thank you for your answer.
On Tue, Jul 21, Matus UHLAR - fantomas wrote:
> On 21.07.20 09:41, Dieter Bloms wrote:
> > we use the sslbump feature and it works very well.
> > But some sites can't be reached because of missing intermediate
> > certificate.
> >
> > In squid.conf we have configured the following parameters:
> >
> > --snip--
> > # allow fetching of missing intermediate certificates
> > acl fetch_intermediate_certificate transaction_initiator certificate-fetching
> > http_access allow fetch_intermediate_certificate
> > cache allow fetch_intermediate_certificate
> > cache deny all
> > --snip--
> >
> > and fetching the intermediate certificate works for sites like: https://incomplete-chain.badssl.com/
> >
> > but for some sites like https://mycase.cloudapps.cisco.com/
> > squid doesn't fetch the intermediate certificate and returns X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
> >
> > In my eyes the certificate of mycase.cloudapps.cisco.com contains an AiA
> > record.
> >
> > output of openssl on certificate of mycase.cloudapps.cisco.com
> > --snip--
> > Authority Information Access:
> > CA Issuers - URI:http://trust.quovadisglobal.com/hydsslg2.crt
> > OCSP - URI:http://ocsp.quovadisglobal.com
> > --snip--
> >
> > so does anybody see what's the reason, why squid doesn't download the
> > intermediate certificate for mycase.cloudapps.cisco.com ?
>
> squid can't download certificates other than the website provides.
that's not true:
from site: https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
"Squid-4 is capable of downloading missing intermediate CA certificates,
like popular browsers do."
> if a website does not provide valid certificate chain, it's up to the client
> to produce an error. With browser, you can allow the certificate explicitly.
with ssbump the browser doesn't see the origin webserver certificate,
but sees the squid created one.
> It is also possible that browser has the intermediace certificate
> remembered.
as I already wrote, we use sslbump.
> testing certificate for mycase.cloudapps.cisco.com shows only one
> certificate I can see:
>
> Certificate chain
> 0 s:C = US, ST = California, L = San Jose, O = "Cisco Systems, Inc.", CN = mycase.cloudapps.cisco.com
> i:C = US, O = HydrantID (Avalanche Cloud Corporation), CN = HydrantID SSL ICA G2
>
> the HydrantID SSL ICA G2 certificate seems to be missing here.
>
>
>
> --
> Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Windows 2000: 640 MB ought to be enough for anybody
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
--
Gruß
Dieter
--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.
More information about the squid-users
mailing list