[squid-users] SSL "certificate verify failed"

From: Christopher Giblin <CGI_at_zurich.ibm.com>
Date: Mon, 21 Mar 2011 19:00:35 +0100

Hi,
I am using Squid: 3.1.8 with ssl_bump configured and have a problem
accessing a server over SSL/TLS.

Background:
I created a Certificate Authority (CA) with OpenSSL. The app server in
question is configured with a certificate signed by my CA.

I have verified my OpenSSL config and the app server's certificate using :
  "openssl verify -CApath /capath ... "
  "openssl s_client -CApath /capath ..."

Both commands indicate that the app server's certificate is verified.

Now I access that same app server through squid. In Squid I have ssl_bump
configured and have added the following:

  sslproxy_capath /capath

But the squid cache log shows:

   2011/03/21 17:16:17| fwdNegotiateSSL: Error negotiating SSL connection
on FD 13: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)

Why would Squid not verify the app server's certificate, while openssl
(using the same capath) can ?

Thanks,
-chris
Received on Mon Mar 21 2011 - 18:00:39 MDT

This archive was generated by hypermail 2.2.0 : Tue Mar 29 2011 - 12:00:02 MDT