squid 3.5.27 .https website show SEC_ERROR_UNKNOWN_ISSUER

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

squid 3.5.27 .https website show SEC_ERROR_UNKNOWN_ISSUER

G~D~Lunatic
with your help. i changed my configure. and now the https problem is that SEC_ERROR_UNKNOWN_ISSUER.
i use squid 3.5.27 as a transparent proxy and a icap client .With the proxy , i access most of https websites like www.amazon.com. but failed  . So i want to know where problem is or how to deal with it.

The webpage remind like"   www.amazon.com used an invalid security certificate. The certificate is not trusted because of its self-signature. This certificate is invalid for the name www.amazon.com. Error code: SEC_ERROR_UNKNOWN_ISSUER "


Here is my configure

# Squid normally listens to port 3128
http_port 3120

http_port 3128 intercept

https_port 192.168.51.200:3129 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem key=/usr/local/squid/ssl_cert/myCA.pem

#acl ssl_step1 at_step SslBump1
#acl ssl_step2 at_step SslBump2
#acl ssl_step3 at_step SslBump3
#ssl_bump peek ssl_step1
#ssl_bump splice all

sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1


#icap
icap_enable on
icap_preview_enable on
icap_preview_size 1024
icap_send_client_ip on
adaptation_meta X-Client-Port "%>p"
icap_206_enable on
icap_persistent_connections off

icap_service service_req reqmod_precache 0 icap://192.168.51.200:1344/echo
icap_service service_res respmod_precache 1 icap://192.168.51.200:1344/echo
adaptation_access service_res allow all
adaptation_access service_req allow all








_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid 3.5.27 .https website show SEC_ERROR_UNKNOWN_ISSUER

Amos Jeffries
Administrator
On 20/11/17 21:06, G~D~Lunatic wrote:
> with your help. i changed my configure. and now the https problem is
> that SEC_ERROR_UNKNOWN_ISSUER.
> i use squid 3.5.27 as a transparent proxy and a icap client .With the
> proxy , i access most of https websites like www.amazon.com
> http://www.hupu.com. but failed  . So i want to know where problem is
> or how to deal with it.
>

The config you presented has one major problem - you have configured
ssl-bump option on the https_port but do not have any ssl_bump
directives telling Squid what bumping actions are to be done.

What Squid does under that circumstance is bump the TLS using an invalid
server certificate and deliver an error page to the client in hopes that
either the invalid cert will throw up an error, or the error page might
be displayed.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users