[squid-users] (92) Protocol error (TLS code: X509_V_ERR_CERT_HAS_EXPIRED)

Alex Rousskov rousskov at measurement-factory.com
Tue Jun 23 15:42:19 UTC 2020 

On 6/23/20 11:04 AM, Andrea Venturoli wrote:

> Running Squid 4.11 on FreeBSD 11.3 with SSLBump, since a few days, I've
> got several sites (e.g. https://www.kawsaki.it/) failing with:
> 
>> The following error was encountered while trying to retrieve the URL:
>> https://www.kawasaki.it/*
>>
>>     Failed to establish a secure connection to 54.39.161.167
>>
>> The system returned:
>>
>>     (92) Protocol error (TLS code: X509_V_ERR_CERT_HAS_EXPIRED)
>>
>>     SSL Certificate expired on: May 30 10:48:38 2020 GMT

> When this happens, in cache.log I see:
>> 2020/06/23 15:03:31 kid1| ERROR: negotiating TLS on FD 33:
>> error:14090086:SSL routines:ssl3_get_server_certificate:certificate
>> verify failed (1/-1/0)

> I know an intermediate certificate expired, but a new one should have
> been published.


> Does Squid perform something different from OpenSSL?

Yes, Squid has custom TLS-related code, including certificate
validation, generation, and fetching code.


> Does it have some certificate cache

Yes, there can be two or even four caches in play here:

1. The in-RAM cache of generated fake certificates (see
dynamic_cert_mem_cache_size),

2. on-disk cache of generated fake certificates (see sslcrtd_program),

3. a regular HTTP in-RAM cache (see cache_mem) that may keep a copy of
the intermediate certificate downloaded by Squid.

4. a regular HTTP on-disk cache (see cache_dir) that may keep a copy of
the intermediate certificate downloaded by Squid.


> I should clear?

*If* Squid is caching an expired certificate without revalidation, then
this is essentially a Squid bug. There are many unknowns here, so I
cannot confirm or deny the existence of such a bug without spending more
free time which I do not have (unfortunately). I also do not know (did
not check) whether Squid is caching the expired fake certificate and/or
the real intermediate one.

You can try to fix the problem or workaround the Squid bug by clearing
the caches.


> How?

I would begin with a full Squid shutdown and start. This will clear all
in-RAM caches.

If the problem persists, you can remove the entire on-disk certificate
generator cache (or extract the bad certificates from it, but that
requires even more work). See sslcrtd_program for more info on that
cache location. Do not forget to re-initialize it!

If the problem persists, you can remove the entire on-disk HTTP cache
(or extract the bad certificates from it, but that requires even more
work). See cache_dir for more info on that cache location. Do not forget
to re-initialize it!


I cannot give you step-by-step instructions, but others on the list may
pitch in as you make progress in your triage using the above hints.


HTH,

Alex.

More information about the squid-users mailing list