Re: [squid-users] sslBump, error SSL unknown certificate error from Amos Jeffries on 2009-10-27 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 28 Oct 2009 15:31:34 +1300

On Tue, 27 Oct 2009 12:54:03 -0700 (PDT), vandermeer
<jason.vandermeer_at_gmail.com> wrote:
> I have squid 3.1.0.14 running with the configuration below to forward
> decrypted traffic from sslBump to icap for inspection.
>
> When i browse non SSL sites with sslBump enabled everything is fine
>
> When i browse SSL sites with sslbump disabled everything is fine.
>
> When I browse SSL sites with sslbump enabled i receive the following
> errors:
>
> 2009/10/27 10:57:41| SSL unknown certificate error 19 in
> /C=US/ST=Arizona/L=Phoenix/O=American Express Company/OU=Web
> Hosting/CN=www.americanexpress.com
>
> 2009/10/27 10:57:41| fwdNegotiateSSL: Error negotiating SSL connection
on
> FD
> 14: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed (1/-1/0)

This is Squid SSL library failing to verify the real _web server_
certificate.

There are a couple of things to check.
* you have correct and most recent signing authority certificates etc to
verify theirs against.
* your SSL library being used by Squid is capable of SSLv3 9which their
site appears to require)

There is a slim chance it could actually be a case of site forgery (your
upstream doing SslBump would be pure irony).

>
> My certificate is my company wildcard certificate.

That only affects the browsers visiting through your Squid. Which seems
fine so far.

>
> Squid Config:
>
> icap_enable on
>
> icap_service service_req reqmod_precache 1
> icap://10.207.214.22:1344/request
> adaptation_access service_req allow all
>
> icap_service service_resp respmod_precache 0
> icap://10.207.214.22:1344/response
> adaptation_access service_resp allow all
>
> # configure the HTTP port to bump CONNECT requests
> http_port 3128 sslBump cert=/usr/local/squid/etc/cert.pem
>
>
> # Bumped requests have relative URLs so Squid has to use reverse proxy
> # or accelerator code. By default, that code denies direct forwarding.
> # The need for this option may disappear in the future.
> always_direct allow all
>

So far so good. However I see you have cut-n-pasted the example config and
trying to run it.
The following bits are probably not needed.

> # avoid bumping requests to sites that Squid cannot proxy well
> acl broken_sites dstdomain .webax.com
> ssl_bump deny broken_sites
> ssl_bump allow all
>
> # ignore certain certificate errors or
> # ignore errors with certain cites (very dangerous!)
> acl TrustedName url_regex ^https://weserve.badcerts.com/
> acl BogusError ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
> sslproxy_cert_error allow TrustedName
> sslproxy_cert_error allow BogusError
> sslproxy_cert_error deny all

Amos
Received on Wed Oct 28 2009 - 02:31:38 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 28 2009 - 12:00:03 MDT