Re: [squid-users] SSLBUMP certificate verify failed
On 18/01/2016 10:13 a.m., Roman Gelfand wrote: > I am not sure where I am going wrong here... > > > ssl bump certificate > openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout > squidCA.pem -out squidCA.pem > > The der certificate was generated and deployed on client computer trusted > root > openssl x509 -in squidCA.pem -outform DER -out squidCA.der > > > squid.conf > http_port 3128 ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/usr/local/ssl_cert/squidCA.pem > What makes you think the squid-to-client certificate details have anything to do with the server-to-squid certificate failing to verify? Your issue is probably: * outdated Trusted CAs installed on the Squid machine, and/or * the certificate the server is presenting to Squid being invalid, and/or * the certificate chain being presented by the server being icomplete, and/or * non-TLS response coming back to Squid from the server, and/or * someone else MITM'ing the connection upstream of Squid. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSLBUMP certificate verify failed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 This is most probably client certificate error. IM or something. You can ignore it if users not compliances. 18.01.16 3:13, Roman Gelfand пишет: > I am not sure where I am going wrong here... > > > ssl bump certificate > openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout > squidCA.pem -out squidCA.pem > > The der certificate was generated and deployed on client computer trusted > root > openssl x509 -in squidCA.pem -outform DER -out squidCA.der > > > squid.conf > http_port 3128 ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/usr/local/ssl_cert/squidCA.pem > > > On Sun, Jan 17, 2016 at 1:58 PM, Yuri Voinov wrote: > >> > No. > > 18.01.16 0:56, Roman Gelfand пишет: > >>> I am getting an error, below, in a cache.log. How can I identify the > >>> request associated with this error? It doesn't appear to be an issue > with > >>> client-to-proxy. It seems like a problem with proxy-to-remote_server. > >>> > >>> Error negotiating SSL on FD 43: error:14090086:SSL > >>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > >>> > >>> > >>> > >>> ___ > >>> squid-users mailing list > >>> squid-users@lists.squid-cache.org > >>> http://lists.squid-cache.org/listinfo/squid-users > >> >> >> ___ >> squid-users mailing list >> squid-users@lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-users >> >> > -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWnAROAAoJENNXIZxhPexGiYoIAKGr+aaDXmQpEK7bm295Sod+ q53gTVZgEe5BqX24pG2GYTjbh9sVNNQmBsOo3Vit3/iDd4lfr+mWYVVFgx7amFCo i7ij6oUHeDYeviumldb3lWGQ9H8hEGfGNT4AF41OFg9R/bnj89sJSU80i+rQDiVz FGZQCFMKAgPZm/EqJABh2/KgdAuJi386klqxq+42LAF94ANDzykcyqaozkYp4cMy voguB4ZcyCMwHxlvXf9nWqbDc5p82JsYc+Ye25Pka5bO3UrGXK6lzqWjwXeVDamT UIO0FLxk4PrCom+wdldFbUtqJUf02cexthYyBdIYSLQgKkmvjJaWfM8y10zqs8s= =Dtmn -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSLBUMP certificate verify failed
I am not sure where I am going wrong here... ssl bump certificate openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout squidCA.pem -out squidCA.pem The der certificate was generated and deployed on client computer trusted root openssl x509 -in squidCA.pem -outform DER -out squidCA.der squid.conf http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/ssl_cert/squidCA.pem On Sun, Jan 17, 2016 at 1:58 PM, Yuri Voinov wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > No. > > 18.01.16 0:56, Roman Gelfand пишет: > > I am getting an error, below, in a cache.log. How can I identify the > > request associated with this error? It doesn't appear to be an issue > with > > client-to-proxy. It seems like a problem with proxy-to-remote_server. > > > > Error negotiating SSL on FD 43: error:14090086:SSL > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > > > > > > > ___ > > squid-users mailing list > > squid-users@lists.squid-cache.org > > http://lists.squid-cache.org/listinfo/squid-users > > -BEGIN PGP SIGNATURE- > Version: GnuPG v2 > > iQEcBAEBCAAGBQJWm+Q5AAoJENNXIZxhPexGCx4H/1GA/dIKAJ2QKZEBwClw7Ii2 > eVgV8HvEBQzzX1hXwWcJetnbEnQWyc6EHZ+hSi9z5Sh4Ybgy1LdtzocecXWWnSl8 > sZZth8aVqEdB/2yQCzq4t1Hs0myPhgJbI3yBAs3NUBsdZbJeNLi9PHgSxAKjMs4Q > rEdPfi/EbCE7ihHlCsX+iGD7dly4wMmmBxzy3+VRnv7m0/OD0/S82G3edlpVFUpk > 0OtzyvvyTcvIFLJZmXCCZleliS6lBXCQ+iiQ2A8JwrO2cleIbzoNStR6HYDZbI8l > aVCy1ogJae2IM1WNx3sARJExXq3uYz9PkZO1qY1y1T9jUDYdhbIkPbrYu4MAc6I= > =+ss3 > -END PGP SIGNATURE- > > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSLBUMP certificate verify failed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 No. 18.01.16 0:56, Roman Gelfand пишет: > I am getting an error, below, in a cache.log. How can I identify the > request associated with this error? It doesn't appear to be an issue with > client-to-proxy. It seems like a problem with proxy-to-remote_server. > > Error negotiating SSL on FD 43: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWm+Q5AAoJENNXIZxhPexGCx4H/1GA/dIKAJ2QKZEBwClw7Ii2 eVgV8HvEBQzzX1hXwWcJetnbEnQWyc6EHZ+hSi9z5Sh4Ybgy1LdtzocecXWWnSl8 sZZth8aVqEdB/2yQCzq4t1Hs0myPhgJbI3yBAs3NUBsdZbJeNLi9PHgSxAKjMs4Q rEdPfi/EbCE7ihHlCsX+iGD7dly4wMmmBxzy3+VRnv7m0/OD0/S82G3edlpVFUpk 0OtzyvvyTcvIFLJZmXCCZleliS6lBXCQ+iiQ2A8JwrO2cleIbzoNStR6HYDZbI8l aVCy1ogJae2IM1WNx3sARJExXq3uYz9PkZO1qY1y1T9jUDYdhbIkPbrYu4MAc6I= =+ss3 -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] SSLBUMP certificate verify failed
I am getting an error, below, in a cache.log. How can I identify the request associated with this error? It doesn't appear to be an issue with client-to-proxy. It seems like a problem with proxy-to-remote_server. Error negotiating SSL on FD 43: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
