Missing certificate fetching fails if default policy is Block All Non Categorized

[ra-at-diladele-com]

1. Set the "Block All Non Categorized" setting in default policy.
2. Make another policy where this setting is not blocked.
3. Browse as use from policy 2. to some site that has missing intermediate certificate as for example https://www.pratiche.it/. Note this site must be unknown to the categorization module.
4. Error in squid like

The following error was encountered while trying to retrieve the URL: https://www.pratiche.it/*

    Failed to establish a secure connection to [unknown]

The system returned:

    [No Error] (TLS code: SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=1)

    Handshake with SSL server failed: [No Error]

This proxy and the remote host failed to negotiate a mutually acceptable security settings for 
handling your request. It is possible that the remote host does not support secure connections, 
or the proxy is not satisfied with the host security credentials.

[ra-at-diladele-com]

The error comes from the fact that Squid tries to fetch the certificate, that request gets to the ICAP web filter and as this request is not authenticated - it gets processed by the default policy - which blocks it because the request is not categorized.

[ra-at-diladele-com]

Workaround:

In Admin UI / Squid / Exclusions / Advanced / Web Filter. Add the following lines:

# exclude manually from web filter
adaptation_access websafety1 deny fetched_certificate
adaptation_access websafety2 deny fetched_certificate

See the screenshot. Click Save and Restart. The missing cert should be fetched now. Note if you have e-cap enabled it should now be:

# exclude manually from web filter and ecap
adaptation_access chain1 deny fetched_certificate
adaptation_access chain1 deny fetched_certificate

[ra-at-diladele-com]

[ra-at-diladele-com]

Implemented, need to check.