18.01.2017 23:40, Eliezer Croitoru пишет: > Thanks for the detail Amos, > > I noticed that couple major Root CA certificates was revoked so it could be > one thing. > And can you give some more details on how to fetch the certificated using the > openssl tools? > (Maybe redirect towards an article about it) There is no article about trivial things.
root @ khorne / # openssl s_client -connect symantec.com:443 CONNECTED(00000003) depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5 verify return:1 depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 EV SSL CA - G3 verify return:1 depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private Organization, serialNumber = 2158113, C = US, postalCode = 94043, ST = California, L = Mountain View, street = 350 Ellis Street, O = Symantec Corporation, OU = Symantec Web - Redir, CN = symantec.com verify return:1 --- Certificate chain 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=2158113/C=US/postalCode=94043/ST=California/L=Mountain View/street=350 Ellis Street/O=Symantec Corporation/OU=Symantec Web - Redir/CN=symantec.com i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 --- Server certificate -----BEGIN CERTIFICATE----- MIIJ7jCCCNagAwIBAgIQGxlwar89MNsXoPlBKLC9ZjANBgkqhkiG9w0BAQsFADB3 MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxKDAmBgNVBAMTH1N5bWFudGVj IENsYXNzIDMgRVYgU1NMIENBIC0gRzMwHhcNMTYwNjEzMDAwMDAwWhcNMTcwNjEz MjM1OTU5WjCCARsxEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIB AgwIRGVsYXdhcmUxHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYD VQQFEwcyMTU4MTEzMQswCQYDVQQGEwJVUzEOMAwGA1UEEQwFOTQwNDMxEzARBgNV BAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxGTAXBgNVBAkM EDM1MCBFbGxpcyBTdHJlZXQxHTAbBgNVBAoMFFN5bWFudGVjIENvcnBvcmF0aW9u MR0wGwYDVQQLDBRTeW1hbnRlYyBXZWIgLSBSZWRpcjEVMBMGA1UEAwwMc3ltYW50 ZWMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwRqh8lRuQgtO ZDvGmr2+JKD5dgS8do3CQttE0wUosst5uMBoI0JdWCcD+dBKBMf+5PD2TZie75qY Dwg4TPWhiJhLVDtriB4xPHIaI3l4HNyiC2QbCYIlNxiYBApEX3xi7V94ZJBiQGhD jBjVBlWTwYMgcEP+1ivUL0h/ShZOjcJaqdlvLrne7WFQVDzcGcezqXEovgl/63sB 5tL0MDY5lpqUIllNLoMhk+o/NAu19NSQRTqVPmfSQZIQM/aki70LKQWmXzM7yjWk TYVfoqgj7zE9fwfyEZ3mdohSkxaNKdbnafCLHI6Yzc9t9wnnmYvBWDfTCSE+kdYC m/hEfFJaTQIDAQABo4IFzjCCBcowggNqBgNVHREEggNhMIIDXYIMc3ltYW50ZWMu Y29tggpub3J0b24uY29tggt2ZXJpdGFzLmNvbYISYWNjb3VudC5ub3J0b24uY29t ghRjYXJlZXJzLnN5bWFudGVjLmNvbYIZY3VzdG9tZXJjYXJlLnN5bWFudGVjLmNv bYIOZGUubm9ydG9uLm1vYmmCGmRvd25sb2Fkcy5ndWFyZGlhbmVkZ2UuY29tghFl bWVhLnN5bWFudGVjLmNvbYIQZXUuc3RvcmUucGdwLmNvbYIRam9icy5zeW1hbnRl Yy5jb22CFW1vc3RkYW5nZXJvdXN0b3duLmNvbYITbXlub3J0b25hY2NvdW50LmNv bYIQbmEuc3RvcmUucGdwLmNvbYIRbm9ydG9uYWNjb3VudC5jb22CFW5vcnRvbmxl YXJuaW5naHViLmNvbYIKbnVrb25hLmNvbYIRcm93LnN0b3JlLnBncC5jb22CEHNz bC5zeW1hbnRlYy5jb22CDXN0b3JlLnBncC5jb22CEHVrLnN0b3JlLnBncC5jb22C Fnd3dy5hY2NvdW50Lm5vcnRvbi5jb22CFXd3dy5lbWVhLnN5bWFudGVjLmNvbYIZ d3d3Lm1vc3RkYW5nZXJvdXN0b3duLmNvbYIVd3d3Lm5vcnRvbmFjY291bnQuY29t ghl3d3cubm9ydG9ubGVhcm5pbmdodWIuY29tgg53d3cubnVrb25hLmNvbYILd3d3 LnBncC5jb22CFHd3dy5zc2wuc3ltYW50ZWMuY29tgg93d3cudmVyaXRhcy5jb22C End3dy5zeW1hbnRlYy5jby5qcIISd3d3LnN5bWFudGVjLmNvLnVrgg93d3cuc3lt YW50ZWMuZnKCD3d3dy5zeW1hbnRlYy5kZYIPd3d3LnN5bWFudGVjLml0ghN3d3cu c3ltYW50ZWMuY29tLmF1ghJ3d3cuc3ltYW50ZWMuY28ua3KCE3d3dy5zeW1hbnRl Yy5jb20uYnKCD3d3dy5zeW1hbnRlYy5teIIPd3d3LnN5bWFudGVjLmVzgg93d3cu c3ltYW50ZWMuY2GCD3d3dy5zeW1hbnRlYy5oa4ISd3d3LnN5bWFudGVjLmNvLmlu gg93d3cuc3ltYW50ZWMudHeCD3d3dy5zeW1hbnRlYy5zZzAJBgNVHRMEAjAAMA4G A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwbwYD VR0gBGgwZjAHBgVngQwBATBbBgtghkgBhvhFAQcXBjBMMCMGCCsGAQUFBwIBFhdo dHRwczovL2Quc3ltY2IuY29tL2NwczAlBggrBgEFBQcCAjAZDBdodHRwczovL2Qu c3ltY2IuY29tL3JwYTAfBgNVHSMEGDAWgBQBWavn3ToLWaZkY9bPIAdX1ZHnajAr BgNVHR8EJDAiMCCgHqAchhpodHRwOi8vc3Iuc3ltY2IuY29tL3NyLmNybDBXBggr BgEFBQcBAQRLMEkwHwYIKwYBBQUHMAGGE2h0dHA6Ly9zci5zeW1jZC5jb20wJgYI KwYBBQUHMAKGGmh0dHA6Ly9zci5zeW1jYi5jb20vc3IuY3J0MIIBBgYKKwYBBAHW eQIEAgSB9wSB9ADyAHcA3esdK3oNT6Ygi4GtgWhwfi6OnQHVXIiNPRHEzbbsvswA AAFVS+V56QAABAMASDBGAiEAlwG/vUrML+CkdGkmUuyjvTHeWMaIvR409GHqmKjC LAoCIQDSg0zyzCM7ORf0yF/ZaAqQpuWbm+mSSUXp6lRmP29BrwB3AKS5CZC0GFgU h7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABVUvlegwAAAQDAEgwRgIhAMimfbuI vtq3d1b5fbkjtmrZ5SKi0kI/7BX32AU3ApXOAiEAvVHUc3PNoZiUq5ryyQeqWR1q 1j8QzHlUf8xeFVes7iMwDQYJKoZIhvcNAQELBQADggEBAB4Ve4SAScHpnOtq3I6m buH90PEoq0m9503ooEwywvZOeqQOQwDmqOJZsraznC70kmWlr5UY5Yd2eUph6IR+ 6VdaJQlfbMhGc60JVZi8Pewk+clo/CyX6CTmwwh0nJ2Q5blcgGRLvdWEOumK16ET MGV5VCXFWExTFYGleYvsAAH8AMYf3f+k9qB3vu6YljKzp1mv/NJL29kmhciY7oaR wLbzicQbK6uEuZfM7+HmM/bW0UGJPOHgpv+os6kQSSxx4w3BhizpIid4v+5VS+8o XLxAH5+bfEsaMQMNfEddxXT9Y/2Ly2IAr24EQn3s+SsdP9oc5dTTTVacikz3tQCA JfU= -----END CERTIFICATE----- subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=2158113/C=US/postalCode=94043/ST=California/L=Mountain View/street=350 Ellis Street/O=Symantec Corporation/OU=Symantec Web - Redir/CN=symantec.com issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3 --- No client certificate CA names sent --- SSL handshake has read 5624 bytes and written 433 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-SHA Session-ID: 7ED48810D697DDAE5C591942755CF47E3D96431EC46C074641B5E1363ABE812E Session-ID-ctx: Master-Key: 68B42DE89E49E2F16E7461853B9CD8F5393955C9A8C3B6DB27A560CD753669285C51FEA33C2324694F1AA43B833021E8 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1484761429 Timeout : 300 (sec) Verify return code: 0 (ok) --- ^C That's all. > I think that if some sites are have issues then a simple script that will run > the openssl tools to fetch the certificates and add them to the system can be > useful for those which are running 3.5 and yet to jump into the 4.0 testing. > I can write the script that will do come of the work for these admins. > > Eliezer > > ---- > Eliezer Croitoru > Linux System Administrator > Mobile: +972-5-28704261 > Email: elie...@ngtech.co.il > > > -----Original Message----- > From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On > Behalf Of Amos Jeffries > Sent: Wednesday, January 18, 2017 6:06 PM > To: squid-users@lists.squid-cache.org > Subject: Re: [squid-users] A bunch of SSL errors I am not sure why > > On 19/01/2017 3:29 a.m., Sameh Onaissi wrote: >> Hello Eliezer, all >> >> Sorry for the late reply. >> >> When I configure the browser to access a non intercept port, the errors do >> not show up and the site is accessed without a problem. >> >> The client machine has the .crt file installed, but still shows the error. >> >> Other pages with errors: >> http://pasteboard.co/nA20FD7om.png >> http://pasteboard.co/nA2yWRyTE.png >> >> Here is the second page in a browser without an intercepted port: >> http://pasteboard.co/nA39CEFGU.png >> >> >> Thanks in advance. >> Some of these sites are used to pay company bills, so it’s important to get >> this issue resolves ASAP. > I assume from that first part that the most important of these sites are a > small enough set to deal with as a special case without becoming a > maintenance nightmare. > > The error messages both show that Squid at least cannot find one of the CA > required to verify the servers cert. > > Soo... > you can probably use the openssl client tool to identify and fetch the certs > manually; then > > 1a) add the root CA (only if needed) into your machines global CA set, > > 1b) add any intermediary certs to the file Squid loads through > sslproxy_foreign_intermediate_certs directive. > <http://www.squid-cache.org/Doc/config/sslproxy_foreign_intermediate_certs/> > > OR > > 2) create a cache_peer to the domains server port 443, using the originserver > option and sslcafile= option to specify what its CA chain is supposed to be. > <http://www.squid-cache.org/Doc/config/cache_peer/> > > >> Worth mentioning that this was not a problem about 10 days ago. > Nod, these types of things can appear out of nowhere as servers certs expire > or get blacklisted, ciphers etc suddenly get rejected by browsers as > insecure. TLS advocates deny it, but F*ups happen far too often in reality > when dealing with certs. > > >> >> * Try the latest Squid-4, which can auto-download intermediate certificates. >> >> Is squid-4 stable for production? >> > Sorry I missed this in your earlier post. > > Well strictly speaking no. It still has a handful of critical bugs to be > tracked down and quashed. But whether those affect you, or if they do whether > its worth an occasional crash to avoid these SSL isues is a different matter. > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -- OpenSource should be called "Fifty shades of Brown"
0x613DEC46.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users