Squid - SSLBump Windowsupdate

[AndyX90]

Hi, i am experiencing some problems with squid+SSL-Bump and windowsupdate(WSUS). I have set up Single-Sign-On.
I have inserted .microsoft.com and .windowsupdate.com to no-bump-sites.
Now i get the following error multiple times in squid log:

Code: [Select]

kid1| Error negotiating SSL on FD 22: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)If I try to open https://update.microsoft.com/ directly without proxy i get a cert-warning in my browser too.
There seems to be an issue in their certificate chain.
How can i explicitly trust those sites? I tried to put them in whitelist, but it doesn't work.
Many thanks!

[fabian]

The nu bump sites should do the trick but this does not fix the real problem: the server uses an untrusted certificate. In that case, the proxy cannot see the traffic and the client has to validate the certificate.

Explicitly trust works if you edit the certificate database by hand.

[AndyX90]

Thanks, but no-bump sites don't work.
Maybe i have to edit the cert-db by hand.
Would it be possible to add a Feature in the Web-UI to view/edit the verification-ca's?
Like this on Sophos-UTM (see Attachment).
Thanks.

[opnsenseuser]

have already tried everything but under windows 10, the updates are not recorded. get exactly the same error message.

Code: [Select]

kid1| Error negotiating SSL on FD 36: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
does anyone know this or can implement such a feature in opnsense?

[opnsenseuser]

Strange, right in the moment I dropped my posting it worked. I will post my solution here then if I know what exactly where and must register and what domains now really work.

I use squid transparent with certificat.

[opnsenseuser]

so sometimes it works and sometimes not. usually not. why it sometimes works is not clear to me.

most time proxy gets these errors:

cache:

Code: [Select]

routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
access:

Code: [Select]

TAG_NONE/503 4283 POST https://fe3.delivery.mp.microsoft.com/ClientWebService/client.asmx - HIER_NONE/- text/html
Anyone knows how to fix this?

[fabian]

This means one of their servers has an invalid certificate (incorrect hostname, not in valid time range, untrusted CA etc.). It is usually not an error at your side.

[opnsenseuser]

Thx for your Information.

Regards,
Rene

[opnsenseuser]

This means one of their servers has an invalid certificate (incorrect hostname, not in valid time range, untrusted CA etc.). It is usually not an error at your side.

Would be great if opnsense would have a solution as pfsense too.
I assume that I'm not the only one who uses windows clients.

According to squid wiki this should work here, only the options are missing in opnsense:
https://wiki.squid-cache.org/ConfigExamples/Caching/WindowsUpdates

Unfortunately, I know that this works for pfsense. Its only possible in opnsense by editing the config files only manuel. But I prefer to keep my fingers off.