Error negotiating SSL connection on FD 16

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Error negotiating SSL connection on FD 16

saiyan_gc
Hi, I am trying to setup a https proxy server, and after I followed some
tutorial, created self signed certificate, configure the squid.conf, I also
copied the certificate to the client host and setup the https_proxy global
environment variable, I can do *curl https://www.google.com*. I saw
"172.16.0.16 TCP_TUNNEL/200 16567 CONNECT www.google.com:443 abc
HIER_DIRECT/216.58.193.68 -".

But I am trying to use my aws cli with "aws s3 ls", the access log will
throw "172.16.0.16 NONE/000 0 NONE error:transaction-end-before-headers -
HIER_NONE/ - -".

And it throw "Error negotiating SSL connection on FD 16" in cahe.log

I am pretty new to squid, can anyone help me on this stupid question?

Here is my config file:

*https_port 3130 cert=/etc/squid/ssl_cert/example.com.cert \
    key=/etc/squid/ssl_cert/example.com.private  
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic children 5 startup=0 idle=1
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl ncsa_users proxy_auth REQUIRED
http_access deny !ncsa_users
http_access allow all*




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Error negotiating SSL connection on FD 16

Amos Jeffries
Administrator
On 30/03/20 11:58 am, saiyan_gc wrote:
> Hi, I am trying to setup a https proxy server, and after I followed some
> tutorial,

Which tutorial?

> created self signed certificate, configure the squid.conf, I also
> copied the certificate to the client host

Which certificate?
 Where did you put it?
 Do both curl and the aws tool use that location?

> and setup the https_proxy global
> environment variable,

How did you set it up?

Do both curl and the aws tool use that non-standard environment variable?


> I can do *curl https://www.google.com*. I saw
> "172.16.0.16 TCP_TUNNEL/200 16567 CONNECT www.google.com:443 abc
> HIER_DIRECT/216.58.193.68 -".

This curl request does not match the squid.conf you provided. No
authentication credentials are provided, yet username "abc" is being logged.


>
> But I am trying to use my aws cli with "aws s3 ls", the access log will
> throw "172.16.0.16 NONE/000 0 NONE error:transaction-end-before-headers -
> HIER_NONE/ - -".

The TCP connection from client closed before any HTTP was received.

>
> And it throw "Error negotiating SSL connection on FD 16" in cahe.log
>

TLS handshake failure is likely why the TCP connection closed.

 Find out what failure is happening.


>
> Here is my config file:
>
> *https_port 3130 cert=/etc/squid/ssl_cert/example.com.cert \
>     key=/etc/squid/ssl_cert/example.com.private  
> auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
> auth_param basic children 5 startup=0 idle=1
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> acl ncsa_users proxy_auth REQUIRED
> http_access deny !ncsa_users
> http_access allow all*
>
>


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Error negotiating SSL connection on FD 16

saiyan_gc
In reply to this post by saiyan_gc
Hi, thank you for reply me. Really appreciated!

I modified the squid conf file to:

http_port 2128 ssl-bump cert=/etc/squid/ssl_cert/example.com.cert \
    key=/etc/squid/ssl_cert/example.com.private \
    generate-host-certificates=on \
    dynamic_cert_mem_cache_size=4MB
https_port 3130 cert=/etc/squid/ssl_cert/example.com.cert \
    key=/etc/squid/ssl_cert/example.com.private  
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic children 5 startup=0 idle=1
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl ncsa_users proxy_auth REQUIRED
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
http_access deny !ncsa_users
http_access allow ncsa_users

And it's working for http_port. I put the cert into
/etc/pki/trust-ca/source/anchor, and run a update-ca-trust command. And both
aws cli and curl command work now. I am still not sure why https_port desn't
work.

The previous setting work with curl but not aws cli, not sure why it failure
during tls handshake.

Thank you





--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Error negotiating SSL connection on FD 16

Amos Jeffries
Administrator
On 2/04/20 5:42 pm, saiyan_gc wrote:

> Hi, thank you for reply me. Really appreciated!
>
> I modified the squid conf file to:
>
> http_port 2128 ssl-bump cert=/etc/squid/ssl_cert/example.com.cert \
>     key=/etc/squid/ssl_cert/example.com.private \
>     generate-host-certificates=on \
>     dynamic_cert_mem_cache_size=4MB
> https_port 3130 cert=/etc/squid/ssl_cert/example.com.cert \
>     key=/etc/squid/ssl_cert/example.com.private  
> auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
> auth_param basic children 5 startup=0 idle=1
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> acl ncsa_users proxy_auth REQUIRED
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
> http_access deny !ncsa_users
> http_access allow ncsa_users
>
> And it's working for http_port. I put the cert into
> /etc/pki/trust-ca/source/anchor, and run a update-ca-trust command. And both
> aws cli and curl command work now. I am still not sure why https_port desn't
> work.


What you have here is:

* TLS explicit/forward proxy on port 3130.

This requires a regular server certificate for the proxy to use it as a
server encrypting traffic between the client and proxy.


* Interception of HTTPS sent in CONNECT tunnels over a plain-text proxy
on port 2128.

This requires a CA certificate to sign auto-generated server
certificates encrypting the traffic between client and origin server.


That difference in cert type is why when one port works, the other will not.

So first thing to do is make sure the cert types are correct.


> The previous setting work with curl but not aws cli, not sure why it failure
> during tls handshake.
>

The second thing you will need to do, is find out which port the tool is
using and whether it is using it in the right mode of traffic.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users