When there is an issue with a certificate, it is good practice to go to ssllabs
to verify what is going on.
https://www.ssllabs.com/ssltest/analyze.html?d=i.bps%2dsberbank.by&hideResults=on&latest
shows that there is an incomplete certificate chain issue (in orange) which
means that the server of the bank does not send all (intermediate) certificates.
Click on the blue '+' of certification paths and it shows that the 'GeoTrust
RSA CA 2018' (intermediate certificate) had to be downloaded.
The messages are not from Squid but from ufdbGuard which apparently is
configured with an option to block the URL is case of a certificate issue.
Since Squid already checks for valid certificate chains, I suggest to turn this
option off in ufdbGuard.
Marcus
On 31/10/2018 11:48, Vacheslav wrote:
I do not use bump or splice if that is what you mean. I do not import
certificates.. it works without proxy.
-----Original Message-----
From: squid-users <squid-users-boun...@lists.squid-cache.org> On Behalf Of
Matus UHLAR - fantomas
Sent: Wednesday, October 31, 2018 5:46 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] bank blocked
On 31.10.18 17:41, Vacheslav wrote:
2018-10-31 17:34:45 [4270] TLSv1.2 certificate for i.bps-sberbank.by:443:
UNRECOGNISED ISSUER (maybe a certificate chain issue) *****
2018-10-31 17:34:45 [4270] issuer: /C=US/O=DigiCert
Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
does your system recopgnize this authority? Do have actual list of CAs?
2018-10-31 17:34:45 [4270] subject: /C=BY/L=Minsk/O=BPS-Sberbank OAO/OU=Head
Office/CN=*.bps-sberbank.by
2018-10-31 17:34:45 [4270] TLSv1.2 connection to i.bps-sberbank.by:443 has
error code 12. It is marked as a TLS/SSL certificate issue
2018-10-31 17:34:45 [4270] BLOCK - 10.17.10.17 config
https-option i.bps-sberbank.by:443 CONNECT
What is wrong?
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
