bank blocked

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

bank blocked

Vacheslav
Peace,

Here is the log ufdbguard:

2018-10-31 17:34:45 [4270] TLSv1.2 certificate for i.bps-sberbank.by:443: UNRECOGNISED ISSUER  (maybe a certificate chain issue)  *****
2018-10-31 17:34:45 [4270]    issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
2018-10-31 17:34:45 [4270]    subject: /C=BY/L=Minsk/O=BPS-Sberbank OAO/OU=Head Office/CN=*.bps-sberbank.by
2018-10-31 17:34:45 [4270] TLSv1.2 connection to i.bps-sberbank.by:443 has error code 12. It is marked as a TLS/SSL certificate issue
2018-10-31 17:34:45 [4270] BLOCK -                10.17.10.17     config     https-option  i.bps-sberbank.by:443 CONNECT

What is wrong?


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: bank blocked

Matus UHLAR - fantomas
On 31.10.18 17:41, Vacheslav wrote:
>2018-10-31 17:34:45 [4270] TLSv1.2 certificate for i.bps-sberbank.by:443: UNRECOGNISED ISSUER  (maybe a certificate chain issue)  *****
>2018-10-31 17:34:45 [4270]    issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018

does your system recopgnize this authority? Do have actual list of CAs?

>2018-10-31 17:34:45 [4270]    subject: /C=BY/L=Minsk/O=BPS-Sberbank OAO/OU=Head Office/CN=*.bps-sberbank.by
>2018-10-31 17:34:45 [4270] TLSv1.2 connection to i.bps-sberbank.by:443 has error code 12. It is marked as a TLS/SSL certificate issue
>2018-10-31 17:34:45 [4270] BLOCK -                10.17.10.17     config     https-option  i.bps-sberbank.by:443 CONNECT
>
>What is wrong?

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: bank blocked

Vacheslav
I do not use bump or splice if that is what you mean. I do not import certificates.. it works without proxy.

-----Original Message-----
From: squid-users <[hidden email]> On Behalf Of Matus UHLAR - fantomas
Sent: Wednesday, October 31, 2018 5:46 PM
To: [hidden email]
Subject: Re: [squid-users] bank blocked

On 31.10.18 17:41, Vacheslav wrote:
>2018-10-31 17:34:45 [4270] TLSv1.2 certificate for i.bps-sberbank.by:443: UNRECOGNISED ISSUER  (maybe a certificate chain issue)  *****
>2018-10-31 17:34:45 [4270]    issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018

does your system recopgnize this authority? Do have actual list of CAs?

>2018-10-31 17:34:45 [4270]    subject: /C=BY/L=Minsk/O=BPS-Sberbank OAO/OU=Head Office/CN=*.bps-sberbank.by
>2018-10-31 17:34:45 [4270] TLSv1.2 connection to i.bps-sberbank.by:443 has error code 12. It is marked as a TLS/SSL certificate issue
>2018-10-31 17:34:45 [4270] BLOCK -                10.17.10.17     config     https-option  i.bps-sberbank.by:443 CONNECT
>
>What is wrong?

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: bank blocked

Marcus Kool
When there is an issue with a certificate, it is good practice to go to ssllabs to verify what is going on.

https://www.ssllabs.com/ssltest/analyze.html?d=i.bps%2dsberbank.by&hideResults=on&latest
shows that there is an incomplete certificate chain issue (in orange) which means that the server of the bank does not send all (intermediate) certificates.
Click on the blue '+' of certification paths and it shows that the 'GeoTrust RSA CA 2018' (intermediate certificate) had to be downloaded.

The messages are not from Squid but from ufdbGuard which apparently is configured with an option to block the URL is case of a certificate issue.
Since Squid already checks for valid certificate chains, I suggest to turn this option off in ufdbGuard.

Marcus


On 31/10/2018 11:48, Vacheslav wrote:

> I do not use bump or splice if that is what you mean. I do not import certificates.. it works without proxy.
>
> -----Original Message-----
> From: squid-users <[hidden email]> On Behalf Of Matus UHLAR - fantomas
> Sent: Wednesday, October 31, 2018 5:46 PM
> To: [hidden email]
> Subject: Re: [squid-users] bank blocked
>
> On 31.10.18 17:41, Vacheslav wrote:
>> 2018-10-31 17:34:45 [4270] TLSv1.2 certificate for i.bps-sberbank.by:443: UNRECOGNISED ISSUER  (maybe a certificate chain issue)  *****
>> 2018-10-31 17:34:45 [4270]    issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
>
> does your system recopgnize this authority? Do have actual list of CAs?
>
>> 2018-10-31 17:34:45 [4270]    subject: /C=BY/L=Minsk/O=BPS-Sberbank OAO/OU=Head Office/CN=*.bps-sberbank.by
>> 2018-10-31 17:34:45 [4270] TLSv1.2 connection to i.bps-sberbank.by:443 has error code 12. It is marked as a TLS/SSL certificate issue
>> 2018-10-31 17:34:45 [4270] BLOCK -                10.17.10.17     config     https-option  i.bps-sberbank.by:443 CONNECT
>>
>> What is wrong?
>
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users