On 5/12/2013 4:54 a.m., iishiii wrote:
> after again building Squid 3.4.0.3
> now am getting this error
>
<snip>
> 2013/12/04 20:49:01| fwdNegotiateSSL: Error negotiating SSL connection on FD
> 10: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed (1/-1/0)
> 2013/12/04 20:49:57| fwdNegotiateSSL: Error negotiating SSL connection on FD
> 66: error:00000000:lib(0):func(0):reason(0) (5/0/0)
>
>
> still can open facebook or https sites correctly ... pages are broken and a
> lot of security alerts...any idea ???
This is the certificate validation of outbound SSL connections from
Squid to some servers. The server certificate is invalid as far as Squid
can tell.
1) double- and triple- check that your Squids outbound connections on
port 443 are not being diverted back into Squid.
2) check if you ca-certificates on the Squid machine is up to date. Old
CA cert collections can fail to verify up-to-date servers in exactly
this way.
3) check what version of OpenSSL you are using. The big popular sites
are known to be using relatively recent SSL features in their
certificates. If your library is very old you may see these types of
errors as verification fails on some obscure library bugs.
...
99) check if your upstream service provider is performing SSL
interception. Your Squid may simply be detecting their forged certs if so.
Amos
Received on Thu Dec 05 2013 - 07:55:20 MST
This archive was generated by hypermail 2.2.0 : Thu Dec 05 2013 - 12:00:04 MST