(71) Protocol error (TLS code: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

(71) Protocol error (TLS code: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)

kitamura
Hi team,

Sorry for the many questions.
As an in-house SE, I plan to switch from Bluecoat to Squid. 
***I am Japanese. And I can not do English.
All are Google translations.***

I am doing a load test on Squid.
Apache Jmeter is loading the self-certified WEB server.
How can I test with a self-certified WEB server with Jmeter?

Squid server:
 -set SSL Bump
 -No authentication(no AD,no Basic)
 -Other https is OK(yahoo,google,etc)
 
Web server:
 -Apache and ssl_mod installed
 -Registered in DNS
 -Created a self-signed certificate
 -Set the p12 file to Jmeter's SSL Manager

Jmeter
 response header

HTTP/1.1 503 Service Unavailable
Server: squid/4.4
X-Squid-Error: ERR_SECURE_CONNECT_FAIL 71

 response body
(71) Protocol error (TLS code: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)

This proxy and the host to which it connects could not get security settings to handle your request, which are accepted by each other. The host you are connecting to may not support secure connections, or the proxy may not be able to meet the certificate requested by the host you are connecting to.

Thank you,
kitamura

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: (71) Protocol error (TLS code: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)

Amos Jeffries
Administrator
On 26/08/20 1:30 pm, m k wrote:

> Hi team,
>
> Sorry for the many questions.
> As an in-house SE, I plan to switch from Bluecoat to Squid. 
> ***I am Japanese. And I can not do English.
> All are Google translations.***
>
> I am doing a load test on Squid.
> Apache Jmeter is loading the self-certified WEB server.
> How can I test with a self-certified WEB server with Jmeter?
>

You can use cache_peer for custom connectivity to a server:

  cache_peer jmeter.local parent 443 0 originserver \
    tls-cafile=/etc/squid/jmeter_ca_cert.pem \
    tls-default-ca=off

  cache_peer_access jmeter.local allow ...
  never_direct allow ...


Put the CA cert for jmeter in /etc/squid/jmeter_ca_cert.pem.


FYI: it is best to keep the self-signed cert as your own private CA and
give jmeter a normal server cert. Then you only have to change the
jmeter config if its cert gets compromised or needs updating for any
other reason. Squid can continue to use your self-signed CA to verify
any server certs it signed for jmeter.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users