SSL3_GET_SERVER_CERTIFICATE failed

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL3_GET_SERVER_CERTIFICATE failed

G~D~Lunatic
my squid is a transparent proxy.
the cache.log shows that
2017/12/07 15:42:53 kid1| Error negotiating SSL connection on FD 175: Closed by client
2017/12/07 15:42:54 kid1| Error negotiating SSL on FD 95: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
2017/12/07 15:42:55 kid1| Error negotiating SSL connection on FD 124: Closed by client
2017/12/07 15:42:56 kid1| Error negotiating SSL on FD 52: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)


what's the problem? thank you

Here is my configure

https_port 192.168.51.200:3129 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem key=/usr/local/squid/ssl_cert/myCA.pem options=NO_SSLv3,NO_SSLv2


acl broken_sites ssl::server_name matchweb.sports.qq.com
acl ssl_step1 at_step SslBump1
acl ssl_step2 at_step SslBump2
acl ssl_step3 at_step SslBump3
ssl_bump splice broken_sites
#ssl_bump splice all
ssl_bump stare ssl_step1
ssl_bump bump ssl_step2
ssl_bump terminate ssl_step3









_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL3_GET_SERVER_CERTIFICATE failed

Amos Jeffries
Administrator
On 07/12/17 20:47, G~D~Lunatic wrote:

> my squid is a transparent proxy.
> the cache.log shows that
> 2017/12/07 15:42:53 kid1| Error negotiating SSL connection on FD 175:
> Closed by client
> 2017/12/07 15:42:54 kid1| Error negotiating SSL on FD 95:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed (1/-1/0)
> 2017/12/07 15:42:55 kid1| Error negotiating SSL connection on FD 124:
> Closed by client
> 2017/12/07 15:42:56 kid1| Error negotiating SSL on FD 52:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed (1/-1/0)
>
>
> what's the problem? thank you

Four log lines talking about four different connections (FD's).

Two of them are "Closed by client".

Two of them "certificate verify failed" for the remote server certificate.


For those server certificates the relevant options are the sslproxy_* or
tls_outgoing_options directives in your squid.conf.

* Maybe your system CA certificates are outdated, check for that and update.

* Maybe the server cert is missing intermediates certs from its chain.
In Squid-3.5 use sslproxy_foreign_intermediate_certs to inform squid of
extra intermediate certs that might be missing.

* Maybe the server cert is actually invalid. That happens a lot,
especially on dodgy traffic.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users