Quantcast

Communication fails between parent and child if using SSL/TLS

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Communication fails between parent and child if using SSL/TLS

Jānis
Hi!

theoretically, I have configured two squids in a parent-child cache structure.

It works perfectly if it is just "plaintext" communications, but is i  
set the to use ssl (for non https traffic),
the following error occurs:
X-Squid-Error: ERR_CONNECT_FAIL 111

and

TCP connection to PARENT/PORT failed

pop: lookup for key {PARENT/PORT} failed

child's cache_peer config:

cache_peer PARENT parent PORT 0 proxy-only ssl \
            sslcert=/path/to/cert.pem \
            sslkey=/path/to/key.key \
            sslflags=DONT_VERIFY_PEER

parent's:

https_port PORT \
     cert=/path/to/parent/cert.pem \
     key=/path/to/parent/key.key \
     sslflags=NO_DEFAULT_CA

yes, and parent for some reason is not listening on PORT (according to  
netstat -l -n)

connection for child to parent - allowed (is stay the same either for  
non-ssl or ssl-enabled cfg.

squid's .configure:
   --prefix=/usr \
   --libdir=/usr/lib${LIBDIRSUFFIX} \
   --sysconfdir=/etc/squid \
   --localstatedir=/var/log/squid \
   --datadir=/usr/share/squid \
   --with-pidfile=/var/run/squid \
   --mandir=/usr/man \
   --with-logdir=/var/log/squid \
   --disable-devpoll \
   --enable-snmp \
   --enable-ssl \
   --enable-linux-netfilter \
   --enable-async-io \
   --disable-translation \
   --build=$ARCH-slackware-linux

What disappoints - with older version of squid it worked. The upgrade  
turned it down.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Communication fails between parent and child if using SSL/TLS

Jānis

Citēts Jānis <[hidden email]>
Sun, 26 Mar 2017 14:56:32 +0300:

> Hi!
>
> theoretically, I have configured two squids in a parent-child cache  
> structure.
>
> It works perfectly if it is just "plaintext" communications, but is  
> i set the to use ssl (for non https traffic),
> the following error occurs:
> X-Squid-Error: ERR_CONNECT_FAIL 111
>
> and
>
> TCP connection to PARENT/PORT failed
>
> pop: lookup for key {PARENT/PORT} failed
>
> child's cache_peer config:
>
> cache_peer PARENT parent PORT 0 proxy-only ssl \
>            sslcert=/path/to/cert.pem \
>            sslkey=/path/to/key.key \
>            sslflags=DONT_VERIFY_PEER
>
> parent's:
>
> https_port PORT \
>     cert=/path/to/parent/cert.pem \
>     key=/path/to/parent/key.key \
>     sslflags=NO_DEFAULT_CA
>
> yes, and parent for some reason is not listening on PORT (according  
> to netstat -l -n)
>
> connection for child to parent - allowed (is stay the same either  
> for non-ssl or ssl-enabled cfg.
>
> squid's .configure:
>   --prefix=/usr \
>   --libdir=/usr/lib${LIBDIRSUFFIX} \
>   --sysconfdir=/etc/squid \
>   --localstatedir=/var/log/squid \
>   --datadir=/usr/share/squid \
>   --with-pidfile=/var/run/squid \
>   --mandir=/usr/man \
>   --with-logdir=/var/log/squid \
>   --disable-devpoll \
>   --enable-snmp \
>   --enable-ssl \
>   --enable-linux-netfilter \
>   --enable-async-io \
>   --disable-translation \
>   --build=$ARCH-slackware-linux
>
> What disappoints - with older version of squid it worked. The  
> upgrade turned it down.

bots ends use gnutls.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Communication fails between parent and child if using SSL/TLS

Amos Jeffries
Administrator
On 27/03/2017 1:01 a.m., Jānis wrote:

>
> Citēts Jānis
> Sun, 26 Mar 2017 14:56:32 +0300:
>
>> Hi!
>>
>> theoretically, I have configured two squids in a parent-child cache
>> structure.
>>
>> It works perfectly if it is just "plaintext" communications, but is i
>> set the to use ssl (for non https traffic),
>> the following error occurs:
>> X-Squid-Error: ERR_CONNECT_FAIL 111
>>
>> and
>>
>> TCP connection to PARENT/PORT failed
>>
>> pop: lookup for key {PARENT/PORT} failed
>>
>> child's cache_peer config:
>>
>> cache_peer PARENT parent PORT 0 proxy-only ssl \
>>            sslcert=/path/to/cert.pem \
>>            sslkey=/path/to/key.key \
>>            sslflags=DONT_VERIFY_PEER
>>
>> parent's:
>>
>> https_port PORT \
>>     cert=/path/to/parent/cert.pem \
>>     key=/path/to/parent/key.key \
>>     sslflags=NO_DEFAULT_CA
>>
>> yes, and parent for some reason is not listening on PORT (according to
>> netstat -l -n)
>>
>> connection for child to parent - allowed (is stay the same either for
>> non-ssl or ssl-enabled cfg.
>>
>> squid's .configure:
>>   --prefix=/usr \
>>   --libdir=/usr/lib${LIBDIRSUFFIX} \
>>   --sysconfdir=/etc/squid \
>>   --localstatedir=/var/log/squid \
>>   --datadir=/usr/share/squid \
>>   --with-pidfile=/var/run/squid \
>>   --mandir=/usr/man \
>>   --with-logdir=/var/log/squid \
>>   --disable-devpoll \
>>   --enable-snmp \
>>   --enable-ssl \
>>   --enable-linux-netfilter \
>>   --enable-async-io \
>>   --disable-translation \
>>   --build=$ARCH-slackware-linux
>>
>> What disappoints - with older version of squid it worked. The upgrade
>> turned it down.

By "the upgrade" you mean what version(s) changed?

>
> bots ends use gnutls.
>

GnuTLS support is not available for https_port yet. You need
build option  --with-openssl for at least that part. --enable-ssl is
deprecated.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...