Re: [squid-users] sslBump, error SSL unknown certificate error

From: vandermeer <jason.vandermeer_at_gmail.com>
Date: Wed, 28 Oct 2009 07:13:24 -0700 (PDT)

Got it, i did not have my full list of signing authority certificates
installed in the right local. i updated these using:

apt-get install openssl ca-certificates

Then copied the certs from the /etc/ssl/certs directory into my openssl
installation directory. works great now!

Amos Jeffries-2 wrote:
>
> On Tue, 27 Oct 2009 12:54:03 -0700 (PDT), vandermeer
> <jason.vandermeer_at_gmail.com> wrote:
>> I have squid 3.1.0.14 running with the configuration below to forward
>> decrypted traffic from sslBump to icap for inspection.
>>
>> When i browse non SSL sites with sslBump enabled everything is fine
>>
>> When i browse SSL sites with sslbump disabled everything is fine.
>>
>> When I browse SSL sites with sslbump enabled i receive the following
>> errors:
>>
>> 2009/10/27 10:57:41| SSL unknown certificate error 19 in
>> /C=US/ST=Arizona/L=Phoenix/O=American Express Company/OU=Web
>> Hosting/CN=www.americanexpress.com
>>
>> 2009/10/27 10:57:41| fwdNegotiateSSL: Error negotiating SSL connection
> on
>> FD
>> 14: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
>> verify failed (1/-1/0)
>
> This is Squid SSL library failing to verify the real _web server_
> certificate.
>
> There are a couple of things to check.
> * you have correct and most recent signing authority certificates etc to
> verify theirs against.
> * your SSL library being used by Squid is capable of SSLv3 9which their
> site appears to require)
>
> There is a slim chance it could actually be a case of site forgery (your
> upstream doing SslBump would be pure irony).
>
>>
>> My certificate is my company wildcard certificate.
>
> That only affects the browsers visiting through your Squid. Which seems
> fine so far.
>
>>
>> Squid Config:
>>
>> icap_enable on
>>
>> icap_service service_req reqmod_precache 1
>> icap://10.207.214.22:1344/request
>> adaptation_access service_req allow all
>>
>> icap_service service_resp respmod_precache 0
>> icap://10.207.214.22:1344/response
>> adaptation_access service_resp allow all
>>
>> # configure the HTTP port to bump CONNECT requests
>> http_port 3128 sslBump cert=/usr/local/squid/etc/cert.pem
>>
>>
>> # Bumped requests have relative URLs so Squid has to use reverse proxy
>> # or accelerator code. By default, that code denies direct forwarding.
>> # The need for this option may disappear in the future.
>> always_direct allow all
>>
>
> So far so good. However I see you have cut-n-pasted the example config and
> trying to run it.
> The following bits are probably not needed.
>
>> # avoid bumping requests to sites that Squid cannot proxy well
>> acl broken_sites dstdomain .webax.com
>> ssl_bump deny broken_sites
>> ssl_bump allow all
>>
>> # ignore certain certificate errors or
>> # ignore errors with certain cites (very dangerous!)
>> acl TrustedName url_regex ^https://weserve.badcerts.com/
>> acl BogusError ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
>> sslproxy_cert_error allow TrustedName
>> sslproxy_cert_error allow BogusError
>> sslproxy_cert_error deny all
>
>
> Amos
>
>

-- 
View this message in context: http://www.nabble.com/sslBump%2C-error-SSL-unknown-certificate-error-tp26084033p26095332.html
Sent from the Squid - Users mailing list archive at Nabble.com.
Received on Wed Oct 28 2009 - 14:13:27 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 28 2009 - 12:00:03 MDT