[squid-users] Squid and cross-signed certificates

Marcus Kool marcus.kool at urlfilterdb.com
Sun May 31 12:17:46 UTC 2020


yes, I have seen this with Squid _with_ ssl_bump.  In trying to resolve the issue I also upgraded to Squid 4.11, removed the certificate cache and still had messages that the certificate expired on 
May 30 2020.  Doublechecked all certificates but none has this expiry date.

We have a wildcard certificate of sectigo that we use for *.urlfilterdb.com   The really strange thing is that the issue does not appear for all subdomains:

'www' subdomain is OK

'files' subdomain has expired certificate

www.sectigo.com also has an expiration issue when used with the Squid proxy and sslbump (peek+bump mode).

My *guess* is that the certificate checking code used by ssl_bump does not check all certificate signing paths.

Marcus


On 2020-05-31 00:58, Garbacik, Joe wrote:
> Has anyone else noticed that any issues with the expiration of the Sectigo certificates today that appear to be related to this issue:
> https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT
> https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rgSZ
>
> I started see this in my logs today for a site that has always worked.
>
> ... cert_errors="X509_V_ERR_CERT_HAS_EXPIRED at depth=3" ...
>
> I also noticed that with a browser, bypassing the proxy,  the certificate is fine.
> I also noticed that testing with openssl, it indicates expired as well.
>
>     Verify return code: 10 (certificate has expired)
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200531/d11a5f6a/attachment.html>


More information about the squid-users mailing list