On 26/01/22 06:12, Eliezer Croitoru wrote:
Hey,
I have recently seen more then one site that doesn't provide the full CA
bundle chain.
An example:
https://www.ssllabs.com/ssltest/analyze.html?d=www.cloudschool.org
https://www.ssllabs.com/ssltest/analyze.html?d= certificatechain.io
I wanted to somehow get this issue logged properly.
Currently squid sends the client a customized 503 page and the next line in
cache.log:
2022/01/25 19:01:25 kid1| ERROR: negotiating TLS on FD 26:
error:1416F086:SSL routines:tls_process_server_certificate:certificate
verify failed (1/-1/0)
Were there any improvement in this area in 5.x or 6.x brances?
"in this area" yes. Both versions have significant bug fixes around the
chain handling. As usual the later the Squid version the better SSL-Bump
and TLS "cutting edge" features work.
YMMV whether those changes help in your particular instances of the
error. Some are caused by TLS certs just being invalid.
And also the logging is very uninformative regarding the culprit of the
issue.
That has improved a little in later versions. It is part of the ongoing
work to figure out what is going on and what needs to be logged to
understand the actions without facing a flood of crypto information.
I would have expected that the remote host ip:port and sni would be logged
as well in the above mentioned line.
SNI is one of the details TLS/1.3 encrypts now :(
Currently I do not know about a way to identify from the logs these specific
sites.
The "ERROR:" message gives you the FD number of the relevant client
connection. With that "FD nn" you can scan the preceding cache.log in
sections:
5,9 50,9 51,3 (generic I/O)
83,7 (security I/O)
11,2 (HTTP messaging for CONNECT tunnel and cert fetches, if any)
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
