SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

erdosain9
Hi.
Im having a lot of this in cache.log... is this normal?? The https is access
is working fine... but i have those error.

2017/09/04 13:10:58 kid1| Error negotiating SSL on FD 467:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (
1/-1/0)
2017/09/04 13:10:58 kid1| Error negotiating SSL on FD 58: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1
/-1/0)
2017/09/04 13:10:59 kid1| Error negotiating SSL on FD 640:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (
1/-1/0)
2017/09/04 13:11:01 kid1| Error negotiating SSL on FD 640:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (
1/-1/0)
2017/09/04 13:11:01 kid1| Error negotiating SSL on FD 794:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (
1/-1/0)
2017/09/04 13:11:02 kid1| Error negotiating SSL on FD 314:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (
1/-1/0)
2017/09/04 13:11:28 kid1| Error negotiating SSL on FD 299:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (
1/-1/0)
2017/09/04 13:11:29 kid1| Error negotiating SSL on FD 299:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (
1/-1/0)
2017/09/04 13:11:31 kid1| Error negotiating SSL on FD 620:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (
1/-1/0)
2017/09/04 13:11:31 kid1| Error negotiating SSL on FD 105:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (
1/-1/0)
2017/09/04 13:11:31 kid1| Error negotiating SSL on FD 495:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (
1/-1/0)
2017/09/04 13:11:32 kid1| Error negotiating SSL on FD 495:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (
1/-1/0)
2017/09/04 13:11:39 kid1| Error negotiating SSL on FD 457:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (
1/-1/0)
2017/09/04 13:11:40 kid1| Error negotiating SSL on FD 457:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (
1/-1/0)
2017/09/04 13:11:40 kid1| Error negotiating SSL on FD 452:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)
2017/09/04 13:11:41 kid1| Error negotiating SSL on FD 452:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)
2017/09/04 13:11:41 kid1| Error negotiating SSL on FD 210:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)
2017/09/04 13:11:42 kid1| Error negotiating SSL on FD 210:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)
2017/09/04 13:11:58 kid1| Error negotiating SSL on FD 197:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)
2017/09/04 13:11:58 kid1| Error negotiating SSL on FD 197:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)
2017/09/04 13:11:59 kid1| Error negotiating SSL on FD 472:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (:




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Amos Jeffries
Administrator
On 05/09/17 04:20, erdosain9 wrote:
> Hi.
> Im having a lot of this in cache.log... is this normal?? The https is access
> is working fine... but i have those error.
>
 > 2017/09/04 13:10:58 kid1| Error negotiating SSL on FD 467:
 > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify
 > failed (
 > 1/-1/0)


Yes and no. "Normal" is relative to why it is happening.

eg if your network is under attack it is "normal" to see signs like
this, but hardly desirable.

On the other hand if the CA certificate being verified has expired or
revoked it is both normal and desirable to see these instead of letting
the traffic though. Opinions on that differ a lot though.



* Check that your Squid machines ca-certificates are up to date with the
latest ones available. That can make your proxy unable to deal with CA
changes unless you stay up to date. Regular updates are on the order of
weeks, but can happen with no notice if any CA is breached or goes rogue.

* Check that your crypto library is also the latest available. Some
types of change in TLS extensions can lead to cert errors if the library
does not understand what fields in the server cert mean. This also helps
prevent many cipher related errors.

* Take a closer look at the HTTP(S) transaction using the mentioned FD
number. That may need a section 11,2 trace to see the URL and server
names and/or IP. See if the openssl command line tools can tell you what
is non-verifiable about the server cert.

* If it turns out to be an intermediary cert not known by Squid, check
carefully whether you actually want to trust it. If so you can use
sslproxy_foreign_intermediate_certs to load it explicitly (or Squid-4
should auto-download as needed).
<http://www.squid-cache.org/Doc/config/sslproxy_foreign_intermediate_certs/>


It is rarely any other type of occurance that can be solved by Squid.
The above should provide some clues to further debugging if necessary.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users