Squid3-dev sites issues with SSL3_GET_SERVER_CERTIFICATE

periko

Testing squid3-dev ssl-bump, most of the sites are working, they are some sites like ebay, tha once u try to pay it send us this error:

The following error was encountered while trying to retrieve the URL: ://checkout.payments.ebay.com:443

Failed to establish a secure connection to site-ip

The system returned:

(92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
SSL Certficate error: certificate issuer (CA) not known: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa 10/CN=VeriSign Class 3 Secure Server CA - G3

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

The url is this one:

https://checkout.payments.ebay.com/ws/eBayISAPI.dll?XOProcessor&item=251488283347&transactionid=-1&quantity=1&rev=0&rsp=true

squid3-dev 3.3.10, pfsense 2.1 x64, chrome and firefox same issue.

Anything with issue and how can we fixit?

kazimates

If you change pFSense / Services / Squid Proxy Server / GEneral tab Then check the SSL Man In The Middle Filtering area and change the SSL/MITM Mode from Splice WhiteList, Bumb OtherWise to the Splice ALL

the problem can be solve with a this shape.

OR

With a default value of the SSL/MITM Mode with Splice WhiteList, Bumb OtherWise you can goto ACLs atb and add desıred web site url to the WhiteList area ie: online.kktcmaliye.com