yes, I have seen this with Squid _with_ ssl_bump. In trying to resolve the issue I also upgraded to Squid 4.11, removed the certificate cache and still had messages that the certificate expired on
May 30 2020. Doublechecked all certificates but none has this expiry date.
We have a wildcard certificate of sectigo that we use for *.urlfilterdb.com
The really strange thing is that the issue does not appear for all subdomains:
'www' subdomain is OK
'files' subdomain has expired certificate
www.sectigo.com also has an expiration issue when used with the Squid proxy and
sslbump (peek+bump mode).
My *guess* is that the certificate checking code used by ssl_bump does not
check all certificate signing paths.
Marcus
On 2020-05-31 00:58, Garbacik, Joe wrote:
Has anyone else noticed that any issues with the expiration of the Sectigo
certificates today that appear to be related to this issue:
https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT
https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rgSZ
I started see this in my logs today for a site that has always worked.
... cert_errors="X509_V_ERR_CERT_HAS_EXPIRED@depth=3" ...
I also noticed that with a browser, bypassing the proxy, the certificate is
fine.
I also noticed that testing with openssl, it indicates expired as well.
Verify return code: 10 (certificate has expired)
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
