[squid-users] The status of AIA ie: TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ?
Amos Jeffries
squid3 at treenet.co.nz
Fri Feb 4 23:58:28 UTC 2022
On 26/01/22 06:12, Eliezer Croitoru wrote:
> Hey,
>
> I have recently seen more then one site that doesn't provide the full CA
> bundle chain.
> An example:
> https://www.ssllabs.com/ssltest/analyze.html?d=www.cloudschool.org
> https://www.ssllabs.com/ssltest/analyze.html?d= certificatechain.io
>
> I wanted to somehow get this issue logged properly.
> Currently squid sends the client a customized 503 page and the next line in
> cache.log:
> 2022/01/25 19:01:25 kid1| ERROR: negotiating TLS on FD 26:
> error:1416F086:SSL routines:tls_process_server_certificate:certificate
> verify failed (1/-1/0)
>
> Were there any improvement in this area in 5.x or 6.x brances?
"in this area" yes. Both versions have significant bug fixes around the
chain handling. As usual the later the Squid version the better SSL-Bump
and TLS "cutting edge" features work.
YMMV whether those changes help in your particular instances of the
error. Some are caused by TLS certs just being invalid.
> And also the logging is very uninformative regarding the culprit of the
> issue.
That has improved a little in later versions. It is part of the ongoing
work to figure out what is going on and what needs to be logged to
understand the actions without facing a flood of crypto information.
> I would have expected that the remote host ip:port and sni would be logged
> as well in the above mentioned line.
>
SNI is one of the details TLS/1.3 encrypts now :(
> Currently I do not know about a way to identify from the logs these specific
> sites.
The "ERROR:" message gives you the FD number of the relevant client
connection. With that "FD nn" you can scan the preceding cache.log in
sections:
5,9 50,9 51,3 (generic I/O)
83,7 (security I/O)
11,2 (HTTP messaging for CONNECT tunnel and cert fetches, if any)
Amos
More information about the squid-users
mailing list