On 03/22/2017 07:20 AM, Markus Wernig wrote:
> Small update:
>
> - The URL ... is the AIA for the Root CA
>
> Since squid is sslbumping the connection, it must be doing the AIA
> lookups (presumably for SSL verification). Does anybody have an idea why
> it is blocking its own requests?
My answer
Small update:
- The URL http://apps.identrust.com/roots/dstrootcax3.p7c is not the
OCSP responder, but the AIA for the Root CA (DST Root CA X3) embedded in
the issuing CA's certificate's CA Issuers.
- Same for
http://swisssign.net/cgi-bin/authority/download/5B257B96A465517EB839F3C078665EE83AE7F0EE
On 03/21/2017 04:35 AM, Markus Wernig wrote:
>
> 2017-03-21 10:35:08.338 +0100 000137 - TCP_DENIED/403 3607 GET
> http://apps.identrust.com/roots/dstrootcax3.p7c - HIER_NONE/-
> text/html;charset=utf-8 -
> 2017-03-21 10:35:08.345 +0100 000161 10.254.254.2 NONE/200 0 CONNECT
> letsencrypt.org:44
Hi all
I have configured Squid 4.0.18 (CentOS) with sslbump and clamav as
ecap_service. This works well.
One thing I've noticed though, are constant log entries like this in
access.log:
2017-03-21 10:35:08.338 +0100 000137 - TCP_DENIED/403 3607 GET
http://apps.identrust.com/roots/dstrootcax3.p7c
