Incomplete Certificate Chain for wiki.squid-cache.org

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Incomplete Certificate Chain for wiki.squid-cache.org

Dieter Bloms-3
Hello,

the wiki of squid cache project (wiki.squid-cache.org) has an incomplete
certificate chain.
I can't access the website with enabled sslbump and tlsv1.3 support,
because squid isn't able to download the missing intermediate
certificate on its own.

The administrator of that website should add the intermediate
certificate.

More infos can be see here: https://www.ssllabs.com/ssltest/analyze.html?d=wiki.squid%2dcache.org


--
Regards

  Dieter Bloms

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Incomplete Certificate Chain for wiki.squid-cache.org

Amos Jeffries
Administrator
On 13/01/21 11:27 pm, Dieter Bloms wrote:
> Hello,
>
> the wiki of squid cache project (wiki.squid-cache.org) has an incomplete
> certificate chain.
> I can't access the website with enabled sslbump and tlsv1.3 support,
> because squid isn't able to download the missing intermediate
> certificate on its own.
>

What version of Squid are you using?

These certificates generated by LetsEncrypt use the AIA mechanism which
latest Squid versions should be downloading intermediate certs as-needed.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Incomplete Certificate Chain for wiki.squid-cache.org

Matus UHLAR - fantomas
>On 13/01/21 11:27 pm, Dieter Bloms wrote:
>>the wiki of squid cache project (wiki.squid-cache.org) has an incomplete
>>certificate chain.
>>I can't access the website with enabled sslbump and tlsv1.3 support,
>>because squid isn't able to download the missing intermediate
>>certificate on its own.

On 14.01.21 17:41, Amos Jeffries wrote:
>These certificates generated by LetsEncrypt use the AIA mechanism
>which latest Squid versions should be downloading intermediate certs
>as-needed.

invalid intermediate certifiate is provided:


 0 s:CN = master.squid-cache.org
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3



--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Holmes, what kind of school did you study to be a detective?
- Elementary, Watkins.  -- Daffy Duck & Porky Pig
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Incomplete Certificate Chain for wiki.squid-cache.org

Dieter Bloms-3
In reply to this post by Amos Jeffries
Hello Amos,

On Thu, Jan 14, Amos Jeffries wrote:

> On 13/01/21 11:27 pm, Dieter Bloms wrote:
> > Hello,
> >
> > the wiki of squid cache project (wiki.squid-cache.org) has an incomplete
> > certificate chain.
> > I can't access the website with enabled sslbump and tlsv1.3 support,
> > because squid isn't able to download the missing intermediate
> > certificate on its own.
>
> What version of Squid are you using?

we use squid 4.13 and it works for tls version <1.3
 
> These certificates generated by LetsEncrypt use the AIA mechanism which
> latest Squid versions should be downloading intermediate certs as-needed.

but for tls1.3 it doesn't work, because the certificate is encrypted.
Please have a look at the bugreport https://bugs.squid-cache.org/show_bug.cgi?id=5067


--
Gruß

  Dieter

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users