On Tue, 27 Oct 2009 12:54:03 -0700 (PDT), vandermeer <jason.vanderm...@gmail.com> wrote: > I have squid 3.1.0.14 running with the configuration below to forward > decrypted traffic from sslBump to icap for inspection. > > When i browse non SSL sites with sslBump enabled everything is fine > > When i browse SSL sites with sslbump disabled everything is fine. > > When I browse SSL sites with sslbump enabled i receive the following > errors: > > 2009/10/27 10:57:41| SSL unknown certificate error 19 in > /C=US/ST=Arizona/L=Phoenix/O=American Express Company/OU=Web > Hosting/CN=www.americanexpress.com > > 2009/10/27 10:57:41| fwdNegotiateSSL: Error negotiating SSL connection on > FD > 14: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate > verify failed (1/-1/0)
This is Squid SSL library failing to verify the real _web server_ certificate. There are a couple of things to check. * you have correct and most recent signing authority certificates etc to verify theirs against. * your SSL library being used by Squid is capable of SSLv3 9which their site appears to require) There is a slim chance it could actually be a case of site forgery (your upstream doing SslBump would be pure irony). > > My certificate is my company wildcard certificate. That only affects the browsers visiting through your Squid. Which seems fine so far. > > Squid Config: > > icap_enable on > > icap_service service_req reqmod_precache 1 > icap://10.207.214.22:1344/request > adaptation_access service_req allow all > > icap_service service_resp respmod_precache 0 > icap://10.207.214.22:1344/response > adaptation_access service_resp allow all > > # configure the HTTP port to bump CONNECT requests > http_port 3128 sslBump cert=/usr/local/squid/etc/cert.pem > > > # Bumped requests have relative URLs so Squid has to use reverse proxy > # or accelerator code. By default, that code denies direct forwarding. > # The need for this option may disappear in the future. > always_direct allow all > So far so good. However I see you have cut-n-pasted the example config and trying to run it. The following bits are probably not needed. > # avoid bumping requests to sites that Squid cannot proxy well > acl broken_sites dstdomain .webax.com > ssl_bump deny broken_sites > ssl_bump allow all > > # ignore certain certificate errors or > # ignore errors with certain cites (very dangerous!) > acl TrustedName url_regex ^https://weserve.badcerts.com/ > acl BogusError ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH > sslproxy_cert_error allow TrustedName > sslproxy_cert_error allow BogusError > sslproxy_cert_error deny all Amos
