Hi Alex, Thanks for the help. Comments inline.
> On Jan 13, 2021, at 2:23 PM, Alex Rousskov <rouss...@measurement-factory.com> > wrote: > > On 1/13/21 4:33 PM, Greg Hulands wrote: > >> I am setting up squid 5.0.3 and during testing I have found some >> websites fail to have their certificates generated correctly. I am >> able to go to sites like YouTube.com and have the certificates for >> that be generated correctly, but when I try to go to some others, >> like arstechnica.com, they fail to generate and return the CA cert >> that squid is using to sign certificates with. > > Just to double check: Are you sure that the certificate the client gets > is the configured CA certificate? For example, do the two certificates > have the same fingerprint? Yes, I verified it’s the same certificate - fingerprints are a match. > >> I turned the logging up on certificate stuff to 5 and have the cache log >> from trying to make a request >> here: https://gist.github.com/ghulands/f89b49bf180bfac86c98c46c4260f1eb > > The posted snippet shows successful TLS negotiation with the origin > server (FD 23) and a subsequently failed negotiation with the client (FD > 21). The latter may have failed because the client did not like the > certificate generated by Squid, but I did not check the exact failure > reason carefully. > > The snippet has no information about Squid sending the (generated) > certificates to the client, but Squid appears to receive some generated > certificate from the helper (crtGenRq3180846). > > * If you are sure that the client gets a wrong certificate from Squid, > then I recommend posting an ALL,9 log of the problematic transaction. > With some luck, we may be able to see what went wrong with certificate > generation (or virgin certificate validation??). I have put the ALL,9 log here https://gist.github.com/ghulands/4a689db93fc87f9e7f69174f292f1914 <https://gist.github.com/ghulands/4a689db93fc87f9e7f69174f292f1914> I can see it generates the certificate correctly, but couldn’t identify why it didn’t return the cert to the client. > > * Otherwise, I recommend double checking what certificate the client > gets. If the client gets the correct generated certificate, then the > problem is not in certificate validation or generation. > > Posting the certificate that the client actually gets may help a lot > with the triage as well. The certificate that gets returned is in the logs as it’s the CA cert. Thanks, Greg > > > HTH, > > Alex.
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users