On 05/09/17 04:20, erdosain9 wrote:
> Im having a lot of this in cache.log... is this normal?? The https is access
> is working fine... but i have those error.
> 2017/09/04 13:10:58 kid1| Error negotiating SSL on FD 467:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> failed (
Yes and no. "Normal" is relative to why it is happening.
eg if your network is under attack it is "normal" to see signs like
this, but hardly desirable.
On the other hand if the CA certificate being verified has expired or
revoked it is both normal and desirable to see these instead of letting
the traffic though. Opinions on that differ a lot though.
* Check that your Squid machines ca-certificates are up to date with the
latest ones available. That can make your proxy unable to deal with CA
changes unless you stay up to date. Regular updates are on the order of
weeks, but can happen with no notice if any CA is breached or goes rogue.
* Check that your crypto library is also the latest available. Some
types of change in TLS extensions can lead to cert errors if the library
does not understand what fields in the server cert mean. This also helps
prevent many cipher related errors.
* Take a closer look at the HTTP(S) transaction using the mentioned FD
number. That may need a section 11,2 trace to see the URL and server
names and/or IP. See if the openssl command line tools can tell you what
is non-verifiable about the server cert.