[squid-users] bank blocked

Discussion:

Vacheslav

2018-10-31 14:41:59 UTC

Peace,

Here is the log ufdbguard:

2018-10-31 17:34:45 [4270] TLSv1.2 certificate for i.bps-sberbank.by:443: UNRECOGNISED ISSUER (maybe a certificate chain issue) *****
2018-10-31 17:34:45 [4270] issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
2018-10-31 17:34:45 [4270] subject: /C=BY/L=Minsk/O=BPS-Sberbank OAO/OU=Head Office/CN=*.bps-sberbank.by
2018-10-31 17:34:45 [4270] TLSv1.2 connection to i.bps-sberbank.by:443 has error code 12. It is marked as a TLS/SSL certificate issue
2018-10-31 17:34:45 [4270] BLOCK - 10.17.10.17 config https-option i.bps-sberbank.by:443 CONNECT

What is wrong?

Matus UHLAR - fantomas

2018-10-31 14:45:51 UTC

Permalink

Post by Vacheslav
2018-10-31 17:34:45 [4270] TLSv1.2 certificate for i.bps-sberbank.by:443: UNRECOGNISED ISSUER (maybe a certificate chain issue) *****
2018-10-31 17:34:45 [4270] issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018

does your system recopgnize this authority? Do have actual list of CAs?

Post by Vacheslav
2018-10-31 17:34:45 [4270] subject: /C=BY/L=Minsk/O=BPS-Sberbank OAO/OU=Head Office/CN=*.bps-sberbank.by
2018-10-31 17:34:45 [4270] TLSv1.2 connection to i.bps-sberbank.by:443 has error code 12. It is marked as a TLS/SSL certificate issue
2018-10-31 17:34:45 [4270] BLOCK - 10.17.10.17 config https-option i.bps-sberbank.by:443 CONNECT
What is wrong?

--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers.

Vacheslav

2018-10-31 14:48:58 UTC

Permalink

I do not use bump or splice if that is what you mean. I do not import certificates.. it works without proxy.

-----Original Message-----
From: squid-users <squid-users-***@lists.squid-cache.org> On Behalf Of Matus UHLAR - fantomas
Sent: Wednesday, October 31, 2018 5:46 PM
To: squid-***@lists.squid-cache.org
Subject: Re: [squid-users] bank blocked

does your system recopgnize this authority? Do have actual list of CAs?

Marcus Kool

2018-10-31 15:01:09 UTC

Permalink

When there is an issue with a certificate, it is good practice to go to ssllabs to verify what is going on.

https://www.ssllabs.com/ssltest/analyze.html?d=i.bps%2dsberbank.by&hideResults=on&latest
shows that there is an incomplete certificate chain issue (in orange) which means that the server of the bank does not send all (intermediate) certificates.
Click on the blue '+' of certification paths and it shows that the 'GeoTrust RSA CA 2018' (intermediate certificate) had to be downloaded.

The messages are not from Squid but from ufdbGuard which apparently is configured with an option to block the URL is case of a certificate issue.
Since Squid already checks for valid certificate chains, I suggest to turn this option off in ufdbGuard.

Marcus

Post by Vacheslav
I do not use bump or splice if that is what you mean. I do not import certificates.. it works without proxy.
-----Original Message-----
Sent: Wednesday, October 31, 2018 5:46 PM
Subject: Re: [squid-users] bank blocked

does your system recopgnize this authority? Do have actual list of CAs?

Continue reading on narkive:

Search results for '[squid-users] bank blocked' (Questions and Answers)

replies

Can my salary in my corporate salary account be blocked?

started 2007-09-07 12:28:57 UTC

credit

replies

bank account blocked?

started 2012-02-14 12:56:31 UTC

personal finance

replies