Got [No Error] (TLS code: SQUID_ERR_SSL_HANDSHAKE)

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Got [No Error] (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Itai Tieger
Hey,

I'm using squid 4.4 compiled with openssl 1.1.0.
Sometimes when I try to access a site, I get this error:
 The following error was encountered while trying to retrieve the URL:
https://175.41.13.121/* Failed to establish a secure connection to
175.41.13.121 The system returned: [No Error] (TLS code:
SQUID_ERR_SSL_HANDSHAKE) Handshake with SSL server failed: [No Error] This
proxy and the remote host failed to negotiate a mutually acceptable security
settings for handling your request. It is possible that the remote host does
not support secure connections, or the proxy is not satisfied with the host
security credentials. Your cache administrator is webmaster.
This is the capture file:
sniff.cap
<http://squid-web-proxy-cache.1019090.n4.nabble.com/file/t377689/sniff.cap>  
I can't seem to understand what is the problem, what exactly is missing and
how can I debug it myself?

I also get many
 32 2019/02/25 00:09:19 kid1| ERROR: negotiating TLS on FD 43:
error:1416F086:SSL routines:tls_process_server_certificate:certificate
verify failed (1/-1/0)
in the log, might be related... ?



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Got [No Error] (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Amos Jeffries
Administrator
On 17/03/19 8:22 pm, Itai Tieger wrote:
> This is the capture file:
> sniff.cap
> <http://squid-web-proxy-cache.1019090.n4.nabble.com/file/t377689/sniff.cap>  
> I can't seem to understand what is the problem, what exactly is missing and
> how can I debug it myself?

Your trace shows TCP stream #35 as the only one to that server IP
address. The handshake is successful in that stream.


>
> I also get many
>  32 2019/02/25 00:09:19 kid1| ERROR: negotiating TLS on FD 43:
> error:1416F086:SSL routines:tls_process_server_certificate:certificate
> verify failed (1/-1/0)
> in the log, might be related... ?
>

Possibly. The server certificate being invalid or otherwise unable to
verify would certainly be a handshake failure.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Got [No Error] (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Itai Tieger
Amos, Thanks for the quick response!

The error happened on all streams (or at least, on all refresh tries).
I too didn't see any error in the captures so I can't say what's the issue.
I doubt there's a server certificate problem - it worked before and it
worked after...
What other reasons could lead to that?

Attaching all the other captures. This time the upstream one (the last one
was the downstream).
sniff0.cap
<http://squid-web-proxy-cache.1019090.n4.nabble.com/file/t377689/sniff0.cap>  
sniff1.cap
<http://squid-web-proxy-cache.1019090.n4.nabble.com/file/t377689/sniff1.cap>  
sniff3.cap
<http://squid-web-proxy-cache.1019090.n4.nabble.com/file/t377689/sniff3.cap>  

I don't see anything special here (maybe you'll see), but evidently, there's
a problem.
What can I do more to better understand the problem?



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Got [No Error] (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Alex Rousskov
In reply to this post by Itai Tieger
On 3/17/19 1:22 AM, Itai Tieger wrote:

> I'm using squid 4.4 compiled with openssl 1.1.0.
> Sometimes when I try to access a site, I get this error:

> (TLS code: SQUID_ERR_SSL_HANDSHAKE) Handshake with SSL server failed: [No Error]


> how can I debug it myself?

Since the error is probably detected inside OpenSSL SSL_connect(), I
would start by extracting the corresponding server certificate from the
packet capture and asking OpenSSL library on the Squid box to validate it.


> I also get many
>  32 2019/02/25 00:09:19 kid1| ERROR: negotiating TLS on FD 43:
> error:1416F086:SSL routines:tls_process_server_certificate:certificate
> verify failed (1/-1/0)
> in the log, might be related... ?

It is -- SQUID_ERR_SSL_HANDSHAKE is only returned after printing the
above level-1 message AFAICT.


BTW, if Squid does not relay the above OpenSSL error details to the
error page, it is a Squid bug or deficiency.


Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Got [No Error] (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Itai Tieger
Thanks for the answer!



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users