31
Web Proxy Filtering and Caching / Re: Squid SSL Inspection and Windows Updates
« on: June 15, 2021, 03:06:55 pm »
Hello,
I know this is a little old topic started by me but I got the time to set this up and got it working!
You've to add this to squid bump, make sure to include the leading "." It will include the domain itself and all subdomains:
The URLs listed in Squid Wiki are to much, I reduced this. However you can do it more granular. (https://wiki.squid-cache.org/ConfigExamples/Caching/WindowsUpdates)
Additionally (Thx AndyX90) you have to import the following certificates:
Microsoft Root Certificate Authority 2011 - ROOT
Microsoft Update Secure Server CA 2.1 - INTERMEDIATE
Microsoft ECC Product Root Certificate Authority 2018 - ROOT
Microsoft ECC Content Distribution Secure Server CA 2.1 - INTERMEDIATE
You have to import every certificate that throws the following error in Cache Log:
kid1| ERROR: negotiating TLS on FD 49: error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed (1/-1/0)
Good luck
I know this is a little old topic started by me but I got the time to set this up and got it working!
You've to add this to squid bump, make sure to include the leading "." It will include the domain itself and all subdomains:
Code: [Select]
.microsoft.com.akadns.net
.windowsupdate.com
.microsoft.com
The URLs listed in Squid Wiki are to much, I reduced this. However you can do it more granular. (https://wiki.squid-cache.org/ConfigExamples/Caching/WindowsUpdates)
Additionally (Thx AndyX90) you have to import the following certificates:
Microsoft Root Certificate Authority 2011 - ROOT
Microsoft Update Secure Server CA 2.1 - INTERMEDIATE
Microsoft ECC Product Root Certificate Authority 2018 - ROOT
Microsoft ECC Content Distribution Secure Server CA 2.1 - INTERMEDIATE
You have to import every certificate that throws the following error in Cache Log:
kid1| ERROR: negotiating TLS on FD 49: error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed (1/-1/0)
Good luck
