Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
17.7 Legacy Series
»
[SOLVED] Squid Proxy Unknown Equifax Root CA
« previous
next »
Print
Pages: [
1
]
Author
Topic: [SOLVED] Squid Proxy Unknown Equifax Root CA (Read 5163 times)
pongafence
Newbie
Posts: 29
Karma: 1
[SOLVED] Squid Proxy Unknown Equifax Root CA
«
on:
August 09, 2017, 11:06:34 pm »
Hi guys,
So I've implemented OPNsense almost EVERYWHERE now, with only my core IPSEC VPN gateways to replace, once I figure out configuration patterns and passing dynamic routes.
Anyway, the issue that I'm having, is once I configure SSL interception, almost every site works fine, except for Google sites, or sites that use the Google CA.
I've attempted to use the unknown intermediate CA configuration to include additional certificates, but nothing seems to work, so thus I either don't visit Google, or don't enable SSL interception.
Has anyone else run into this problem when visiting SSL intercepted sites and received the UNKNOWN_CA_ERROR?
And how did you resolve the issue without disabling SSL interception.
TIA,
D
«
Last Edit: August 10, 2017, 04:18:56 pm by franco
»
Logged
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: Squid Proxy Unknown Equifax Root CA
«
Reply #1 on:
August 10, 2017, 07:09:55 am »
I know this problem. This happens because the certificate chain contains an additional certificate. This one is checked against the installed CAs where it is not included (Equifax) The second certificate is valid in case of Google and should be the one which is validated.
This is a Bug in the TLS library which is afaik known (and fixed upstream) but the patch did not get into the stable version in the FreeBSD ports.
Logged
pongafence
Newbie
Posts: 29
Karma: 1
Re: Squid Proxy Unknown Equifax Root CA
«
Reply #2 on:
August 10, 2017, 12:53:55 pm »
Ah I see. I'm using LibreSSL at the moment, so this problem that you mentioned is that with OpenSSL as well?
Logged
franco
Administrator
Hero Member
Posts: 17656
Karma: 1610
Re: Squid Proxy Unknown Equifax Root CA
«
Reply #3 on:
August 10, 2017, 01:25:31 pm »
I think if I remember Fabian's tickets right this was a LibreSSL issue. We're bumping LibreSSL to version 2.5.5 with 17.7.1 so that should be fixed.
OpenSSL should be fine either way.
Cheers,
Franco
Logged
pongafence
Newbie
Posts: 29
Karma: 1
Re: Squid Proxy Unknown Equifax Root CA
«
Reply #4 on:
August 10, 2017, 03:21:18 pm »
Hey guys,
Thanks to the both of you for that info. I've switched back to OpenSSL for the time being, until LibreSSL catches up.
Resolves my issue!
Logged
franco
Administrator
Hero Member
Posts: 17656
Karma: 1610
Re: Squid Proxy Unknown Equifax Root CA
«
Reply #5 on:
August 10, 2017, 04:18:46 pm »
Ok, then I'm marking this solved.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
17.7 Legacy Series
»
[SOLVED] Squid Proxy Unknown Equifax Root CA