(92) Protocol error (TLS code: X509_V_ERR_CERT_HAS_EXPIRED)

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

(92) Protocol error (TLS code: X509_V_ERR_CERT_HAS_EXPIRED)

Andrea Venturoli
Hello.

Running Squid 4.11 on FreeBSD 11.3 with SSLBump, since a few days, I've
got several sites (e.g. https://www.kawsaki.it/) failing with:

> The following error was encountered while trying to retrieve the URL: https://www.kawasaki.it/*
>
>     Failed to establish a secure connection to 54.39.161.167
>
> The system returned:
>
>     (92) Protocol error (TLS code: X509_V_ERR_CERT_HAS_EXPIRED)
>
>     SSL Certificate expired on: May 30 10:48:38 2020 GMT
>
> This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.



When this happens, in cache.log I see:
> 2020/06/23 15:03:31 kid1| ERROR: negotiating TLS on FD 33: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
> 2020/06/23 15:03:31 kid1| ERROR: negotiating TLS on FD 33: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
> 2020/06/23 15:03:31 kid1| ERROR: negotiating TLS on FD 53: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)



I know an intermediate certificate expired, but a new one should have
been published.



What I find strange, is that using openssl directly succeeds:

> # openssl s_client -connect www.kawasaki.it:https
> CONNECTED(00000003)
> depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
> verify return:1
> depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert CN RSA CA G1
> verify return:1
> depth=0 C = CN, ST = \E7\A6\8F\E5\BB\BA\E7\9C\81, L = \E5\8E\A6\E9\97\A8\E5\B8\82, O = \E7\BD\91\E5\AE\BF\E7\A7\91\E6\8A\80\E8\82\A1\E4\BB\BD\E6\9C\89\E9\99\90\E5\85\AC\E5\8F\B8\E5\8E\A6\E9\97\A8\E5\88\86\E5\85\AC\E5\8F\B8, OU = IT, CN = webssl.chinanetcenter.com
> verify return:1
> ---
> Certificate chain
>  0 s:/C=CN/ST=\xE7\xA6\x8F\xE5\xBB\xBA\xE7\x9C\x81/L=\xE5\x8E\xA6\xE9\x97\xA8\xE5\xB8\x82/O=\xE7\xBD\x91\xE5\xAE\xBF\xE7\xA7\x91\xE6\x8A\x80\xE8\x82\xA1\xE4\xBB\xBD\xE6\x9C\x89\xE9\x99\x90\xE5\x85\xAC\xE5\x8F\xB8\xE5\x8E\xA6\xE9\x97\xA8\xE5\x88\x86\xE5\x85\xAC\xE5\x8F\xB8/OU=IT/CN=webssl.chinanetcenter.com
>    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert CN RSA CA G1
>  1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert CN RSA CA G1
>    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIWEDCCFPigAwIBAgIQA1RHNwOepXqwyoBuZiYbQTANBgkqhkiG9w0BAQsFADBf
> MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
> d3cuZGlnaWNlcnQuY29tMR4wHAYDVQQDExVEaWdpQ2VydCBDTiBSU0EgQ0EgRzEw
> HhcNMjAwNjE5MDAwMDAwWhcNMjAxMTA5MTIwMDAwWjCBnjELMAkGA1UEBhMCQ04x
> EjAQBgNVBAgMCeemj+W7uuecgTESMBAGA1UEBwwJ5Y6m6Zeo5biCMTYwNAYDVQQK
> DC3nvZHlrr/np5HmioDogqHku73mnInpmZDlhazlj7jljqbpl6jliIblhazlj7gx
> CzAJBgNVBAsTAklUMSIwIAYDVQQDExl3ZWJzc2wuY2hpbmFuZXRjZW50ZXIuY29t
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA11rUTXwosZacGiiTO6+o
> Qhm7qZzl8T5fGeNwXsZw/EGtCcySXD8pQ33+IpMdXq8hi5EaBXeHCpUs4UCg4S1S
> WXlfGr3PbP+SwLRiXGGNPOPYywLX8N0SyDy1VOkrMHHDRscbf1x6pSJpSTRkNqXS
> 7+/zFTP26fDpvVlgG3U9VpAf7jpCg+xO2ppCbEyKEd02DGNSzSC0vmBJnsg/vI+j
> E8kpiDLjBXAIl5nSns6rChXgxH9/BO60Vef+R3lA5EMVUp31CzhkvjNrk9pcSVbw
> 6AVKlEU314G5diBe/ju0Vie/rnUHXb9FIIHN8+XiNhLBGK2TrgpYvba7gC+wkvVu
> ZwIDAQABo4IShjCCEoIwHwYDVR0jBBgwFoAU70ULeBWRpbbRc6SSb2NaWdNfPp0w
> HQYDVR0OBBYEFGdOsyhZD+/HmDtCHqpecLdpZvYeMIIPwgYDVR0RBIIPuTCCD7WC
> CiouY2N0di5jb22CCSouMTYzLmNvbYIPKi5jaGluYWxpdmUuY29tgg0qLmNjdHZw
> aWMuY29tggwqLmlzZWV5b28uY26CECouMjAxMGV4cG90di5jb22CCSouY2N0di5j
> boIMKi5zYW1sY3IuY29tggoqLnN5eXguY29tgg8qLnpodW9xdWFwcC5jb22CDSou
> NTA1NDM5OS5jb22CDyouYWl3YW40Mzk5LmNvbYIKKi4zODM5LmNvbYIJKi40Mzk5
> LmNugggqLjU2LmNvbYIJKi5jbnR2LmNugg4qLml3YW40Mzk5LmNvbYIOKi5saXZl
> Y2hpbmEuY26CDyoubGl2ZWNoaW5hLmNvbYIQKi5taXRhZ3Rlbm5pLm5ldIIOKi5v
> dXJkdnNzcy5jb22CDSouZGViZW5jZS5uZXSCDSouMzgzOWFwcC5jb22CDSouZGF5
> amF1eS5uZXSCDSouYm13Z3JvdXAuY26CDCouZm94aWpuLmNvbYIPKi5jaGlkYXJl
> c3MuY29tgg4qLmNvdmluaXlhLmNvbYINKi5pbWc0Mzk5LmNvbYIKKi4xMjM3MS5j
> boIMKi5pcGFuZGEubmV0ggwzMDAwdGVzdC5jb22CCyouaTM4MzkuY29tggsqLmlw
> MTM4LmNvbYIJaXAxMzguY29tggwqLnpoZTgwMC5jb22CDSoudnhpbnlvdS5jb22C
> DCouNDM5OWtlLmNvbYIKKi4zMDAwLmNvbYIQKi40Mzk5eW91cGFpLmNvbYIMKi55
> eGhoZGwuY29tgg0qLjMwMDBhcGkuY29tgg4qLmt1eWlueXVuLmNvbYIOKi5rdXlp
> bjEyMy5jb22CDCouZGl5cmluZy5jY4IOKi4zMDAwdGVzdC5jb22CDCoubWVpcGFp
> LmNvbYISKi5jYW5rYW94aWFveGkuY29tggsqLmNudHZ3Yi5jboIQKi5pYW5ub25l
> a3RtLm5ldIIMKi5pcGFuZGEuY29tggsqLmlwYW5kYS5jboINKi40Mzk5YXBpLm5l
> dIINKi51bmNjb2RvLmNvbYIPKi5tZWl0dWRhdGEuY29tggsqLm1laXR1LmNvbYIK
> Ki40Mzk5LmNvbYIPKi5uZXdzLmNjdHYuY29tghEqLm5ld2VyYS5jY3R2LmNvbYIS
> Ki5vcGVuY2xhLmNjdHYuY29tghYqLm5ld3Njb250ZW50LmNjdHYuY29tgg4qLm5u
> bi5jY3R2LmNvbYIOKi5uZXdzLmNudHYuY26CDyoubGl2ZS5jY3R2LmNvbYIUKi5u
> ZXdjb21tZW50LmNudHYuY26CESouaXR2LmNjdHZwaWMuY29tgg0qLmltZy5jbnR2
> LmNughMqLmltZy5saXZlY2hpbmEuY29tgg8qLmlwYW5kYS5jb20uY26CDiouaXBy
> LmNjdHYuY29tgg0qLmlwci5jbnR2LmNughAqLmlzaG93LmNjdHYuY29tgg4qLml0
> di5jY3R2LmNvbYINKi5pdHYuY250di5jboIWKi5uY3BhLWNsYXNzaWMuY250di5j
> boINKi5vdnAuY250di5jboIOKi5saXZlLmNudHYuY26CDioubWFpbC5jbnR2LmNu
> gg8qLm1pbmkuY2N0di5jb22CESoubW9uZ29sLmNjdHYuY29tghAqLm1vbmdvbC5j
> bnR2LmNuggwqLm15LmNudHYuY26CDSoub3BzLmNudHYuY26CDCoudC5jY3R2LmNv
> bYITKi5wYXNzcG9ydC5jY3R2LmNvbYIRKi53ZWJhcHAuY2N0di5jb22CDioudi5p
> cGFuZGEuY29tghAqLnZpZGVvLmNjdHYuY29tgg0qLnZpcC5jbnR2LmNugg4qLnZt
> cy5jY3R2LmNvbYIPKi52b3RlLmNjdHYuY29tgg4qLnZvdGUuY250di5jboINKi52
> cG4uY250di5jboINKi53eC5jY3R2LmNvbYIMKi52LmNjdHYuY29tggwqLnd4LmNu
> dHYuY26CDyoud3hhcHAuY250di5jboIQKi54aXlvdS5jY3R2LmNvbYIPKi54aXlv
> dS5jbnR2LmNugg0qLnlwLmNjdHYuY29tgg8qLnlzZHguY2N0di5jb22CFW1pY3Jv
> Z2FtZS41MDU0Mzk5Lm5ldIINaW1nLjcxYWNnLm5ldIILKi52LmNudHYuY26CDyou
> dW5pb24uY250di5jboISKi5wYXNzcG9ydC5jbnR2LmNughEqLnNwb3J0cy5jY3R2
> LmNvbYINKi5wYXkuY250di5jboIQKi5wbGF5ZXIuY250di5jboILKi5xLmNudHYu
> Y26CDSoucXIuY2N0di5jb22CDCoucXIuY250di5jboIOKi5zZGMuY2N0di5jb22C
> DSouc21zLmNudHYuY26CECouc3BvcnRzLmNudHYuY26CECoudW5pb24uY2N0di5j
> b22CDyouc3RhZmYuY250di5jboIOKi5pbWcuY2N0di5jb22CDSoudGMuY2N0di5j
> b22CFCoudGVjaGNlbnRlci5jbnR2LmNugg4qLnRlc3QuY250di5jboIQKi50cmF2
> ZWwuY250di5jboINKi50di5jY3R2LmNvbYIMKi50di5jbnR2LmNughEqLmltZy5j
> Y3R2cGljLmNvbYIZd2Vic3NsLmNoaW5hbmV0Y2VudGVyLmNvbYIic2VjdXJlLWlu
> dC13ZWItdGljLWNuLmJtd2dyb3VwLmNvbYIcc2VjdXJlLWluZm9uZXQzLmJtd2dy
> b3VwLmNvbYIOKi5hZHMuY2N0di5jb22CDyouNXBsdXMuY250di5jboIMdy50YW5j
> ZG4uY29tghFjcGcubWVpdHViYXNlLmNvbYIWd3d3Lm1pbml0aGVjb29wZXJzLmNv
> bYITKi5zZXJ2aWNlLmt1Z291LmNvbYIec2VjdXJlLXdlYi10aWMtY24uYm13Z3Jv
> dXAuY29tgiBzZWN1cmUtaW5mb25ldDItaW50LmJtd2dyb3VwLmNvbYInc2VjdXJl
> LWludC13ZWItdGljLW1pbmktY24uYm13Z3JvdXAuY29tgiNzZWN1cmUtd2ViLXRp
> Yy1taW5pLWNuLmJtd2dyb3VwLmNvbYIgc2VjdXJlLWluZm9uZXQzLWludC5ibXdn
> cm91cC5jb22CEmNtc2NuLmJtd2dyb3VwLmNvbYISKi5nZGpoLnZ4aW55b3UuY29t
> ggsqLnFmLjU2LmNvbYINbS40Mzk5YXBpLmNvbYIPYXV0by50YW5jZG4uY29tghBz
> ai5uenNpdGVyZXMuY29tghFmYW54aW5nLmt1Z291LmNvbYIMc3MuM3oyMjIuY29t
> gglzcy45azkuY26CFHl4ZC5mbGFzaGdhbWUxNjMuY29tghAqLnNlcnZ5b3UuY29t
> LmNughJtZmFueGluZy5rdWdvdS5jb22CCnNzby41Ni5jb22CDSouYXBpLmNudHYu
> Y26CDyouMjAwOC5jY3R2LmNvbYIOKi5hcHAuY2N0di5jb22CDiouY2JveC5jbnR2
> LmNughMqLmRvd25sb2FkLmNjdHYuY29tghIqLmRpYW55aW5nLmNudHYuY26CFCou
> ZGVuZ3poZXdvLmNjdHYuY29tgg8qLmRhdGEuY2N0di5jb22CEiouY3BvcnRhbC5j
> Y3R2LmNvbYIPKi5jcGM5MC5jbnR2LmNugg0qLmNudHYuY29tLmNugg0qLmNtcy5j
> bnR2LmNughAqLmNjdHY1LmNjdHYuY29tgg0qLmFwcC5jbnR2LmNugg9taC50aWFu
> Y2l0eS5jb22CDSouY2N0di5jb20uY26CDyouYmxvZy5jY3R2LmNvbYIQKi5iYWln
> ZS5jY3R2LmNvbYIPKi5hcHAuY250dndiLmNugg8qLmFwcHMuY2N0di5jb22CDSou
> YmJzLmNudHYuY26CDyouYXJ0cy5jY3R2LmNvbYIPKi5iYWlkdS5jbnR2LmNugg4q
> LmFwcHMuY250di5jboISZmFueGluZzIua3Vnb3UuY29tgg4qLmJicy5jY3R2LmNv
> bYIUbml0cm9tZS5jb20uNDM5OS5jb22CG2FwaS5iZWF1dHltYXN0ZXIubWVpeWFu
> LmNvbYIVaW9zLmh4ankuaXdhbjQzOTkuY29tghpoNS5iZWF1dHltYXN0ZXIubWVp
> eWFuLmNvbYIYYXBpLnNlbGZpZWNpdHkubWVpdHUuY29tghdoNS5zZWxmaWVjaXR5
> Lm1laXR1LmNvbYIWYXBpLnBob3RvLm1laXR1eXVuLmNvbYISaW0ubGl2ZS5tZWlw
> YWkuY29tghRhcGkueGl1eGl1Lm1laXR1LmNvbYIYeGl1eGl1Lmh1b2RvbmcubWVp
> dHUuY29tghhjZG4uaHhqeWlvcy5pd2FuNDM5OS5jb22CF2RsLmdpdmluZ3RhbGVz
> Lmd4cGFuLmNughBpZC5hcGkubWVpdHUuY29tghRhcGkubWFrZXVwLm1laXR1LmNv
> bYISb3Blbi53ZWIubWVpdHUuY29tghR4aXV4aXUud2ViLm1laXR1LmNvbYIUc3Rh
> dGljLmJzdC5tZWl0dS5jb22CFCouZ3JpZHN1bS52ZC5jbnR2LmNughIqLnZkbi5h
> cHBzLmNudHYuY26CEHVwbG9hZC5xZi41Ni5jb22CEiouZGlhcnkubXkuY250di5j
> boIUKi5pbnRsLjIwMDguY2N0di5jb22CEmRsLmpwaGJway5neHBhbi5jboIVKi5j
> YnMuc3BvcnRzLmNjdHYuY29tghgqLm11c2V1bS5pbWcuY2N0dnBpYy5jb22CFiou
> YXBpLmNwb3J0YWwuY2N0di5jb22CFioubmV3cy5pbWcuY2N0dnBpYy5jb22CH2Rs
> b3lhbHR5cGFydG5lci5jbi5ibXdncm91cC5jb22CHmRsb3lhbHR5ZGVhbGVyLmNu
> LmJtd2dyb3VwLmNvbYIdZGxveWFsdHlhZG1pbi5jbi5ibXdncm91cC5jb22CHmRs
> b3lhbHR5cmVwb3J0LmNuLmJtd2dyb3VwLmNvbYIZcHZtZXNzYWdlLmNuLmJtd2dy
> b3VwLmNvbYIVKi5oZC5jcG9ydGFsLmNjdHYuY29tghgqLnNwb3J0cy5pbWcuY2N0
> dnBpYy5jb22CFiouc3RhdGljLjIwMDguY2N0di5jb22CEyoudHYuY2N0djUuY2N0
> di5jb22CDm0uYmJzLjM4MzkuY29tghVjZG4uc3Nqai5pd2FuNDM5OS5jb22CESou
> di4yMDA4LmNjdHYuY29tghBjZG4uZGFubXUuNTYuY29tghRjZG4uaDV3YW4uNDM5
> OXNqLmNvbYIbd3d3Lm1pbmljbGlwLmNvbS40Mzk5cGsuY29tMA4GA1UdDwEB/wQE
> AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0
> oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0Q05SU0FDQUcx
> LmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0Q05S
> U0FDQUcxLmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIB
> FhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjBvBggrBgEF
> BQcBAQRjMGEwIQYIKwYBBQUHMAGGFWh0dHA6Ly9vY3NwLmRjb2NzcC5jbjA8Bggr
> BgEFBQcwAoYwaHR0cDovL2NybC5kaWdpY2VydC1jbi5jb20vRGlnaUNlcnRDTlJT
> QUNBRzEuY3J0MAwGA1UdEwEB/wQCMAAwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEA
> dgAHt1wb5X1o//Gwxh0jFce65ld8V5S3au68YToaadOiHAAAAXLKnX81AAAEAwBH
> MEUCICQ38xCx2oi4RdWoHG37l5LfXuX6sYDFziYtIpljwgpVAiEAzSxc3uErukR8
> NgB/v65pyXrBmmZGvoAEyFp7YQcA1qYAdwBep3P531bA57U2SH3QSeAyepGaDISh
> EhKEGHWWgXFFWAAAAXLKnX66AAAEAwBIMEYCIQD2lWe7lQe3TGClTe9fsJ7FyzjF
> eEz15SyKOOdXF9VXxAIhAJZbRlEgVHC+pirpGXg7NjPaavEJm0p6F0TzcUYrnbWB
> MA0GCSqGSIb3DQEBCwUAA4IBAQB8k8PLcRM5n+0gMaqPoCHyWiONOAzo+nUzUwKl
> ZqaglB/s/ARo4tSnAj9cqPxryxw6gHt/waaHKucRMdJIALCiD6KMxaJfdq+RWeNs
> U9sb66G0S13I6viXPZQWRvyvqCnH8+VIeixg8ju68sjAFlYzO1lVTMfb6jZgpoGn
> /hBWMC5Ya4Y37PZjTXtF/3nH47+6n5qJi5d6kY4NPedOHo6ICa1GEroCFnNtmKol
> P4FopEjjCC7OPdWzGMtR+KGqiOUle1g4OwCd7/poKWuz73ae7T1Q0hhMOgs/wxC+
> 9dCRobbSomi61cNd42Y0zhvAws/Yfyw4GVFSJkIB+CqLdVOf
> -----END CERTIFICATE-----
> subject=/C=CN/ST=\xE7\xA6\x8F\xE5\xBB\xBA\xE7\x9C\x81/L=\xE5\x8E\xA6\xE9\x97\xA8\xE5\xB8\x82/O=\xE7\xBD\x91\xE5\xAE\xBF\xE7\xA7\x91\xE6\x8A\x80\xE8\x82\xA1\xE4\xBB\xBD\xE6\x9C\x89\xE9\x99\x90\xE5\x85\xAC\xE5\x8F\xB8\xE5\x8E\xA6\xE9\x97\xA8\xE5\x88\x86\xE5\x85\xAC\xE5\x8F\xB8/OU=IT/CN=webssl.chinanetcenter.com
> issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert CN RSA CA G1
> ---
> No client certificate CA names sent
> Peer signing digest: SHA256
> Server Temp Key: ECDH, P-256, 256 bits
> ---
> SSL handshake has read 7635 bytes and written 433 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-AES128-GCM-SHA256
>     Session-ID: 82265A527B8027908036EBB9486CC7A048E484F836AD3250952976969D95E12D
>     Session-ID-ctx:
>     Master-Key: 0738979C685DE1EFC159C9D21453A069379651D1B28326165A5C0C52265EE4601ED6D01BB44D74FFDEBACF7F73085853
>     Key-Arg   : None
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     TLS session ticket lifetime hint: 7200 (seconds)
>     TLS session ticket:
>     0000 - f9 b5 c9 ba 56 9e 82 e9-e0 9e d1 09 bd 1e e3 ee   ....V...........
>     0010 - 24 0d 2a a3 ec c9 76 e3-60 b9 03 ff 86 62 e5 f3   $.*...v.`....b..
>     0020 - e4 28 3f e2 1b 3f 9a 42-3e 89 ce 5d b0 5a 78 3a   .(?..?.B>..].Zx:
>     0030 - 27 fa e3 0d f2 e8 72 2f-92 c5 a8 14 cd f3 22 0b   '.....r/......".
>     0040 - bc ec e3 f3 74 95 cf 07-56 b8 37 e1 a0 66 a5 23   ....t...V.7..f.#
>     0050 - 92 03 f3 b4 5b 47 4f f8-a0 11 c2 a2 9a 48 b5 6f   ....[GO......H.o
>     0060 - 6a e0 e6 2d ac f6 dc 23-32 ea b3 1a 92 11 ba f9   j..-...#2.......
>     0070 - 3c 4b 51 c8 3f ff 2d 37-15 89 56 2c 8e 63 ab 08   <KQ.?.-7..V,.c..
>     0080 - 0d 54 be fd f2 7c 3b 3a-2f 58 79 3d f6 58 31 91   .T...|;:/Xy=.X1.
>     0090 - 22 01 9e 2b 9a 62 fd 7b-3a 0b f0 71 f6 56 77 28   "..+.b.{:..q.Vw(
>     00a0 - 39 a3 0e 51 1e 39 fb b9-56 94 85 3c 93 7d e7 e1   9..Q.9..V..<.}..
>
>     Start Time: 1592924413
>     Timeout   : 300 (sec)
>     Verify return code: 0 (ok)
> ---



Why this?
Does Squid perform something different from OpenSSL?
Does it have some certificate cache I should clear? How?

  bye & Thanks
        av.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: (92) Protocol error (TLS code: X509_V_ERR_CERT_HAS_EXPIRED)

Alex Rousskov
On 6/23/20 11:04 AM, Andrea Venturoli wrote:

> Running Squid 4.11 on FreeBSD 11.3 with SSLBump, since a few days, I've
> got several sites (e.g. https://www.kawsaki.it/) failing with:
>
>> The following error was encountered while trying to retrieve the URL:
>> https://www.kawasaki.it/*
>>
>>     Failed to establish a secure connection to 54.39.161.167
>>
>> The system returned:
>>
>>     (92) Protocol error (TLS code: X509_V_ERR_CERT_HAS_EXPIRED)
>>
>>     SSL Certificate expired on: May 30 10:48:38 2020 GMT

> When this happens, in cache.log I see:
>> 2020/06/23 15:03:31 kid1| ERROR: negotiating TLS on FD 33:
>> error:14090086:SSL routines:ssl3_get_server_certificate:certificate
>> verify failed (1/-1/0)

> I know an intermediate certificate expired, but a new one should have
> been published.


> Does Squid perform something different from OpenSSL?

Yes, Squid has custom TLS-related code, including certificate
validation, generation, and fetching code.


> Does it have some certificate cache

Yes, there can be two or even four caches in play here:

1. The in-RAM cache of generated fake certificates (see
dynamic_cert_mem_cache_size),

2. on-disk cache of generated fake certificates (see sslcrtd_program),

3. a regular HTTP in-RAM cache (see cache_mem) that may keep a copy of
the intermediate certificate downloaded by Squid.

4. a regular HTTP on-disk cache (see cache_dir) that may keep a copy of
the intermediate certificate downloaded by Squid.


> I should clear?

*If* Squid is caching an expired certificate without revalidation, then
this is essentially a Squid bug. There are many unknowns here, so I
cannot confirm or deny the existence of such a bug without spending more
free time which I do not have (unfortunately). I also do not know (did
not check) whether Squid is caching the expired fake certificate and/or
the real intermediate one.

You can try to fix the problem or workaround the Squid bug by clearing
the caches.


> How?

I would begin with a full Squid shutdown and start. This will clear all
in-RAM caches.

If the problem persists, you can remove the entire on-disk certificate
generator cache (or extract the bad certificates from it, but that
requires even more work). See sslcrtd_program for more info on that
cache location. Do not forget to re-initialize it!

If the problem persists, you can remove the entire on-disk HTTP cache
(or extract the bad certificates from it, but that requires even more
work). See cache_dir for more info on that cache location. Do not forget
to re-initialize it!


I cannot give you step-by-step instructions, but others on the list may
pitch in as you make progress in your triage using the above hints.


HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users