The messages are not from Squid but from ufdbGuard which apparently is configured with an option to block the URL is case of a certificate issue.
Since Squid already checks for valid certificate chains, I suggest to turn this option off in ufdbGuard.
On 31/10/2018 11:48, Vacheslav wrote:
> I do not use bump or splice if that is what you mean. I do not import certificates.. it works without proxy.
> -----Original Message-----
> From: squid-users <[hidden email]> On Behalf Of Matus UHLAR - fantomas
> Sent: Wednesday, October 31, 2018 5:46 PM
> To: [hidden email] > Subject: Re: [squid-users] bank blocked
> On 31.10.18 17:41, Vacheslav wrote:
>> 2018-10-31 17:34:45  TLSv1.2 certificate for i.bps-sberbank.by:443: UNRECOGNISED ISSUER (maybe a certificate chain issue) *****
>> 2018-10-31 17:34:45  issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
> does your system recopgnize this authority? Do have actual list of CAs?
>> 2018-10-31 17:34:45  subject: /C=BY/L=Minsk/O=BPS-Sberbank OAO/OU=Head Office/CN=*.bps-sberbank.by
>> 2018-10-31 17:34:45  TLSv1.2 connection to i.bps-sberbank.by:443 has error code 12. It is marked as a TLS/SSL certificate issue
>> 2018-10-31 17:34:45  BLOCK - 10.17.10.17 config https-option i.bps-sberbank.by:443 CONNECT
>> What is wrong?