tlsv1 alert unknown ca (1/0)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

tlsv1 alert unknown ca (1/0)

masterx81
Hi!
I've enabled the ssl-bump with following directives:
acl no_ssl_interception dstdomain .somedomain.com

ssl_bump none localhost
ssl_bump none no_ssl_interception

ssl_bump stare
ssl_bump bump all

http_port 8080 ssl-bump cert=/etc/squid/ca.pem generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB options=NO_SSLv3,NO_SSLv2
sslflags=NO_DEFAULT_CA


But in the cache.log file i have a lot of:
2018/04/26 10:27:45 kid1| Error negotiating SSL connection on FD 70:
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)

tried to put the directive
sslproxy_cafile /etc/ssl/certs/ca-bundle.crt

tried to do the yum install ca-certificates to update the packages, no luck.

I've read several discussions about this, but i've not came up with
nothing...

the sites on the clients open well...

What i can try to do?
Thanks!





--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: tlsv1 alert unknown ca (1/0)

Amos Jeffries
Administrator
On 26/04/18 20:40, masterx81 wrote:
>
> What i can try to do?

You can try to find out what the CA is and work from there.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: tlsv1 alert unknown ca (1/0)

masterx81
How i can find what is the problematic CA?
On the cache.log i have hundreds of this (aroung 10 per second), but in the
access.log i have really few TCP_DENIED connections or in general other
errors that can indicate what's causing that problem.

Thanks!!



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: tlsv1 alert unknown ca (1/0)

masterx81
Maybe i've spotted what was. Trendmicro Antivirus (cloud version). Was
generating a lot of TCP_MISS with status code 200. Added the domain
.trendmicro.com to the "not bumped" domains (with some microsoft domains
used for the update processes) and the cache file is sooooo much clean!



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users