Re: Squid Version 3.5.20 Any Ideas

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Version 3.5.20 Any Ideas

Cherukuri, Naresh

Hi All,

 

I installed Squid version 3.5.20 on RHEL 7 and generated self-signed CA certificates,  My users are complaining about certificate errors. When I looked at cache.log I see so many error messages like below. Below is my squid.conf file. Any ideas how to address below errors.

 

Squid.conf:

 

max_filedesc 4096

visible_hostname pctysqd2prod

logfile_rotate 10

 

access_log stdio:/var/log/squid/access.log squid

 

acl localnet src 172.16.0.0/16

acl backoffice_users src 10.136.0.0/13

acl hcity_backoffice_users src 10.142.0.0/15

acl register_users src 10.128.0.0/13

acl hcity_register_users src 10.134.0.0/15

acl partycity url_regex partycity

 

acl SSL_ports port 443

acl Safe_ports port 80          # http

#acl Safe_ports port 21         # ftp

acl Safe_ports port 443         # https

#acl Safe_ports port 70         # gopher

#acl Safe_ports port 210                # wais

#acl Safe_ports port 1025-65535 # unregistered ports

#acl Safe_ports port 280                # http-mgmt

#acl Safe_ports port 488                # gss-http

#acl Safe_ports port 591                # filemaker

#acl Safe_ports port 777                # multiling http

acl CONNECT method CONNECT

#acl allowed_sites {dst|dstdomain|dstdom_regex|url_regex) "/path/to/file"

acl backoffice_allowed_sites url_regex "/etc/squid/backoffice_allowed_sites"

acl hcity_backoffice_allowed_sites url_regex "/etc/squid/backoffice_allowed_sites"

acl backoffice_blocked_sites url_regex "/etc/squid/backoffice_blocklist"

acl hcity_backoffice_blocked_sites url_regex "/etc/squid/backoffice_blocklist"

acl register_allowed_sites url_regex "/etc/squid/register_allowed_sites"

acl hcity_register_allowed_sites url_regex "/etc/squid/hcity_register_allowed_sites"

 

http_access allow localnet register_allowed_sites

http_access deny backoffice_users backoffice_blocked_sites

http_access deny hcity_backoffice_users backoffice_blocked_sites

http_access allow backoffice_users backoffice_allowed_sites

http_access allow hcity_backoffice_users backoffice_allowed_sites

http_access allow register_users register_allowed_sites

http_access allow hcity_register_users hcity_register_allowed_sites

no_cache deny partycity

http_access deny all

 

#http_access allow manager localhost

#http_access deny manager

 

# Deny requests to certain unsafe ports

http_access deny !Safe_ports

 

# Deny CONNECT to other than secure SSL ports

#http_access deny CONNECT !SSL_ports

http_access  allow CONNECT SSL_ports

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

http_access deny to_localhost

 

 

# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

#http_access allow localnet

http_access allow localhost

 

# And finally deny all other access to this proxy

http_access deny all

 

# Squid normally listens to port 3128

http_port 3128 ssl-bump \

key=/etc/squid/pctysquid2sslcerts/pctysquid2prod.pkey \

cert=/etc/squid/pctysquid2sslcerts/pctysquid2prod.crt \

generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

 

acl step1 at_step SslBump1

ssl_bump peek step1

ssl_bump bump all

 

sslproxy_cert_error allow all

always_direct allow all

sslproxy_flags DONT_VERIFY_PEER

 

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1

 

# Uncomment and adjust the following to add a disk cache directory.

#cache_dir ufs /cache/squid 10000 16 256

 

# Leave coredumps in the first cache dir

#rdescoredump_dir /var/spool/squid

coredump_dir /var/log/squid/squid

 

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .               0       20%     4320

 

#url_rewrite_access allow all

#url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf

 

Cache.log

 

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 689: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 1114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD 146: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 252: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 36: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Version 3.5.20 Any Ideas

Yuri Voinov

http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

http://i.imgur.com/A153C7A.png


19.07.2017 21:34, Cherukuri, Naresh пишет:

Hi All,

 

I installed Squid version 3.5.20 on RHEL 7 and generated self-signed CA certificates,  My users are complaining about certificate errors. When I looked at cache.log I see so many error messages like below. Below is my squid.conf file. Any ideas how to address below errors.

 

Squid.conf:

 

max_filedesc 4096

visible_hostname pctysqd2prod

logfile_rotate 10

 

access_log stdio:/var/log/squid/access.log squid

 

acl localnet src 172.16.0.0/16

acl backoffice_users src 10.136.0.0/13

acl hcity_backoffice_users src 10.142.0.0/15

acl register_users src 10.128.0.0/13

acl hcity_register_users src 10.134.0.0/15

acl partycity url_regex partycity

 

acl SSL_ports port 443

acl Safe_ports port 80          # http

#acl Safe_ports port 21         # ftp

acl Safe_ports port 443         # https

#acl Safe_ports port 70         # gopher

#acl Safe_ports port 210                # wais

#acl Safe_ports port 1025-65535 # unregistered ports

#acl Safe_ports port 280                # http-mgmt

#acl Safe_ports port 488                # gss-http

#acl Safe_ports port 591                # filemaker

#acl Safe_ports port 777                # multiling http

acl CONNECT method CONNECT

#acl allowed_sites {dst|dstdomain|dstdom_regex|url_regex) "/path/to/file"

acl backoffice_allowed_sites url_regex "/etc/squid/backoffice_allowed_sites"

acl hcity_backoffice_allowed_sites url_regex "/etc/squid/backoffice_allowed_sites"

acl backoffice_blocked_sites url_regex "/etc/squid/backoffice_blocklist"

acl hcity_backoffice_blocked_sites url_regex "/etc/squid/backoffice_blocklist"

acl register_allowed_sites url_regex "/etc/squid/register_allowed_sites"

acl hcity_register_allowed_sites url_regex "/etc/squid/hcity_register_allowed_sites"

 

http_access allow localnet register_allowed_sites

http_access deny backoffice_users backoffice_blocked_sites

http_access deny hcity_backoffice_users backoffice_blocked_sites

http_access allow backoffice_users backoffice_allowed_sites

http_access allow hcity_backoffice_users backoffice_allowed_sites

http_access allow register_users register_allowed_sites

http_access allow hcity_register_users hcity_register_allowed_sites

no_cache deny partycity

http_access deny all

 

#http_access allow manager localhost

#http_access deny manager

 

# Deny requests to certain unsafe ports

http_access deny !Safe_ports

 

# Deny CONNECT to other than secure SSL ports

#http_access deny CONNECT !SSL_ports

http_access  allow CONNECT SSL_ports

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

http_access deny to_localhost

 

 

# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

#http_access allow localnet

http_access allow localhost

 

# And finally deny all other access to this proxy

http_access deny all

 

# Squid normally listens to port 3128

http_port 3128 ssl-bump \

key=/etc/squid/pctysquid2sslcerts/pctysquid2prod.pkey \

cert=/etc/squid/pctysquid2sslcerts/pctysquid2prod.crt \

generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

 

acl step1 at_step SslBump1

ssl_bump peek step1

ssl_bump bump all

 

sslproxy_cert_error allow all

always_direct allow all

sslproxy_flags DONT_VERIFY_PEER

 

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1

 

# Uncomment and adjust the following to add a disk cache directory.

#cache_dir ufs /cache/squid 10000 16 256

 

# Leave coredumps in the first cache dir

#rdescoredump_dir /var/spool/squid

coredump_dir /var/log/squid/squid

 

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .               0       20%     4320

 

#url_rewrite_access allow all

#url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf

 

Cache.log

 

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 689: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 1114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD 146: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 252: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 36: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Version 3.5.20 Any Ideas

Walter H.
Hello,

this seems not to be the problem, as the error messages are in cache.log, which is not a browser problem ...

the question: are the SSL bumped sites in intranet, which use a self signed CA cert itself, which squid doesn't know?

On 19.07.2017 17:36, Yuri wrote:

http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

http://i.imgur.com/A153C7A.png


19.07.2017 21:34, Cherukuri, Naresh пишет:

Hi All,

 

I installed Squid version 3.5.20 on RHEL 7 and generated self-signed CA certificates,  My users are complaining about certificate errors. When I looked at cache.log I see so many error messages like below. Below is my squid.conf file. Any ideas how to address below errors.



Cache.log

 

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 689: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 1114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD 146: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 252: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 36: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Version 3.5.20 Any Ideas

Yuri Voinov

This simple seems op does not installed proxy CA's public in clients. No more.

And errors in cache.log (as well as client complaints) are unambiguously shown.

All other ideas are your nonsense.


19.07.2017 23:30, Walter H. пишет:
Hello,

this seems not to be the problem, as the error messages are in cache.log, which is not a browser problem ...

the question: are the SSL bumped sites in intranet, which use a self signed CA cert itself, which squid doesn't know?

On 19.07.2017 17:36, Yuri wrote:

http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

http://i.imgur.com/A153C7A.png


19.07.2017 21:34, Cherukuri, Naresh пишет:

Hi All,

 

I installed Squid version 3.5.20 on RHEL 7 and generated self-signed CA certificates,  My users are complaining about certificate errors. When I looked at cache.log I see so many error messages like below. Below is my squid.conf file. Any ideas how to address below errors.



Cache.log

 

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 689: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 1114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD 146: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 252: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 36: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)




_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Version 3.5.20 Any Ideas

Yuri Voinov
In reply to this post by Walter H.

One out of two. Either the Squid does not see the OpenSSL/system root CAs bundle, or the proxy CA's public key is not installed in the clients. It's all.


19.07.2017 23:30, Walter H. пишет:
Hello,

this seems not to be the problem, as the error messages are in cache.log, which is not a browser problem ...

the question: are the SSL bumped sites in intranet, which use a self signed CA cert itself, which squid doesn't know?

On 19.07.2017 17:36, Yuri wrote:

http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

http://i.imgur.com/A153C7A.png


19.07.2017 21:34, Cherukuri, Naresh пишет:

Hi All,

 

I installed Squid version 3.5.20 on RHEL 7 and generated self-signed CA certificates,  My users are complaining about certificate errors. When I looked at cache.log I see so many error messages like below. Below is my squid.conf file. Any ideas how to address below errors.



Cache.log

 

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 689: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 1114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD 146: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 252: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 36: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)




_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Version 3.5.20 Any Ideas

Cherukuri, Naresh

Thanks Yuri for quick turnover!

 

We inly installed root certificate on all clients. We didn’t install proxy CA’s public key on clients. So you suggestion fix that we need to install both certificate and proxy ca’s public key on clients.

 

Thanks,

Naresh

 

From: squid-users [mailto:[hidden email]] On Behalf Of Yuri
Sent: Wednesday, July 19, 2017 2:25 PM
To: [hidden email]
Subject: Re: [squid-users] Squid Version 3.5.20 Any Ideas

 

One out of two. Either the Squid does not see the OpenSSL/system root CAs bundle, or the proxy CA's public key is not installed in the clients. It's all.

 

19.07.2017 23:30, Walter H. пишет:

Hello,

this seems not to be the problem, as the error messages are in cache.log, which is not a browser problem ...

the question: are the SSL bumped sites in intranet, which use a self signed CA cert itself, which squid doesn't know?

On 19.07.2017 17:36, Yuri wrote:

http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

http://i.imgur.com/A153C7A.png

 

19.07.2017 21:34, Cherukuri, Naresh пишет:

Hi All,

 

I installed Squid version 3.5.20 on RHEL 7 and generated self-signed CA certificates,  My users are complaining about certificate errors. When I looked at cache.log I see so many error messages like below. Below is my squid.conf file. Any ideas how to address below errors.

 



Cache.log

 

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 689: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 1114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD 146: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 252: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 36: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)





_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Version 3.5.20 Any Ideas

Yuri Voinov

No. Only proxy's CA public key. Private should remains on proxy only.


20.07.2017 2:49, Cherukuri, Naresh пишет:

Thanks Yuri for quick turnover!

 

We inly installed root certificate on all clients. We didn’t install proxy CA’s public key on clients. So you suggestion fix that we need to install both certificate and proxy ca’s public key on clients.

 

Thanks,

Naresh

 

From: squid-users [[hidden email]] On Behalf Of Yuri
Sent: Wednesday, July 19, 2017 2:25 PM
To: [hidden email]
Subject: Re: [squid-users] Squid Version 3.5.20 Any Ideas

 

One out of two. Either the Squid does not see the OpenSSL/system root CAs bundle, or the proxy CA's public key is not installed in the clients. It's all.

 

19.07.2017 23:30, Walter H. пишет:

Hello,

this seems not to be the problem, as the error messages are in cache.log, which is not a browser problem ...

the question: are the SSL bumped sites in intranet, which use a self signed CA cert itself, which squid doesn't know?

On 19.07.2017 17:36, Yuri wrote:

http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

http://i.imgur.com/A153C7A.png

 

19.07.2017 21:34, Cherukuri, Naresh пишет:

Hi All,

 

I installed Squid version 3.5.20 on RHEL 7 and generated self-signed CA certificates,  My users are complaining about certificate errors. When I looked at cache.log I see so many error messages like below. Below is my squid.conf file. Any ideas how to address below errors.

 



Cache.log

 

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 689: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 1114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD 146: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 252: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 36: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)





_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

 



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Version 3.5.20 Any Ideas

Cherukuri, Naresh

Yuri,

 

I am sorry I didn’t get you I already installed certificate on all clients(trusted root certificate authorities). You want me install proxy public key also on clients, if so were should I put the proxy public key. Below is my squid.conf file.

 

Squid.conf

key=/etc/squid/pctysquid2sslcerts/pctysquid2prod.pkey \ proxy ca public key??

cert=/etc/squid/pctysquid2sslcerts/pctysquid2prod.crt \ (installed certificate on IE all clients as a trusted root certificate authorities)

 

 

From: Yuri [mailto:[hidden email]]
Sent: Wednesday, July 19, 2017 4:55 PM
To: Cherukuri, Naresh; [hidden email]
Subject: Re: [squid-users] Squid Version 3.5.20 Any Ideas

 

No. Only proxy's CA public key. Private should remains on proxy only.

 

20.07.2017 2:49, Cherukuri, Naresh пишет:

Thanks Yuri for quick turnover!

 

We inly installed root certificate on all clients. We didn’t install proxy CA’s public key on clients. So you suggestion fix that we need to install both certificate and proxy ca’s public key on clients.

 

Thanks,

Naresh

 

From: squid-users [[hidden email]] On Behalf Of Yuri
Sent: Wednesday, July 19, 2017 2:25 PM
To: [hidden email]
Subject: Re: [squid-users] Squid Version 3.5.20 Any Ideas

 

One out of two. Either the Squid does not see the OpenSSL/system root CAs bundle, or the proxy CA's public key is not installed in the clients. It's all.

 

19.07.2017 23:30, Walter H. пишет:

Hello,

this seems not to be the problem, as the error messages are in cache.log, which is not a browser problem ...

the question: are the SSL bumped sites in intranet, which use a self signed CA cert itself, which squid doesn't know?

On 19.07.2017 17:36, Yuri wrote:

http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

http://i.imgur.com/A153C7A.png

 

19.07.2017 21:34, Cherukuri, Naresh пишет:

Hi All,

 

I installed Squid version 3.5.20 on RHEL 7 and generated self-signed CA certificates,  My users are complaining about certificate errors. When I looked at cache.log I see so many error messages like below. Below is my squid.conf file. Any ideas how to address below errors.

 




Cache.log

 

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 689: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 1114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD 146: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 252: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 36: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)






_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

 

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Version 3.5.20 Any Ideas

Yuri Voinov
In reply to this post by Cherukuri, Naresh

Related OpenSSL public CA bundle - in theory it should be installed together with OpenSSL.


20.07.2017 2:49, Cherukuri, Naresh пишет:

Thanks Yuri for quick turnover!

 

We inly installed root certificate on all clients. We didn’t install proxy CA’s public key on clients. So you suggestion fix that we need to install both certificate and proxy ca’s public key on clients.

 

Thanks,

Naresh

 

From: squid-users [[hidden email]] On Behalf Of Yuri
Sent: Wednesday, July 19, 2017 2:25 PM
To: [hidden email]
Subject: Re: [squid-users] Squid Version 3.5.20 Any Ideas

 

One out of two. Either the Squid does not see the OpenSSL/system root CAs bundle, or the proxy CA's public key is not installed in the clients. It's all.

 

19.07.2017 23:30, Walter H. пишет:

Hello,

this seems not to be the problem, as the error messages are in cache.log, which is not a browser problem ...

the question: are the SSL bumped sites in intranet, which use a self signed CA cert itself, which squid doesn't know?

On 19.07.2017 17:36, Yuri wrote:

http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

http://i.imgur.com/A153C7A.png

 

19.07.2017 21:34, Cherukuri, Naresh пишет:

Hi All,

 

I installed Squid version 3.5.20 on RHEL 7 and generated self-signed CA certificates,  My users are complaining about certificate errors. When I looked at cache.log I see so many error messages like below. Below is my squid.conf file. Any ideas how to address below errors.

 



Cache.log

 

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 689: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 1114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD 146: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 252: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 36: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)





_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

 



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Version 3.5.20 Any Ideas

Cherukuri, Naresh

Yuri,

 

I am new to squid I learned it through searching google. My question is I generated self-signed SSL certificates and install certificates on IE all clients. I didn’t install proxy public key. Can you tell me where  I have to put proxy public key on clients. Appreciate you help!

 

Thanks,

Naresh

 

From: Yuri [mailto:[hidden email]]
Sent: Wednesday, July 19, 2017 5:06 PM
To: Cherukuri, Naresh; [hidden email]
Subject: Re: [squid-users] Squid Version 3.5.20 Any Ideas

 

Related OpenSSL public CA bundle - in theory it should be installed together with OpenSSL.

 

20.07.2017 2:49, Cherukuri, Naresh пишет:

Thanks Yuri for quick turnover!

 

We inly installed root certificate on all clients. We didn’t install proxy CA’s public key on clients. So you suggestion fix that we need to install both certificate and proxy ca’s public key on clients.

 

Thanks,

Naresh

 

From: squid-users [[hidden email]] On Behalf Of Yuri
Sent: Wednesday, July 19, 2017 2:25 PM
To: [hidden email]
Subject: Re: [squid-users] Squid Version 3.5.20 Any Ideas

 

One out of two. Either the Squid does not see the OpenSSL/system root CAs bundle, or the proxy CA's public key is not installed in the clients. It's all.

 

19.07.2017 23:30, Walter H. пишет:

Hello,

this seems not to be the problem, as the error messages are in cache.log, which is not a browser problem ...

the question: are the SSL bumped sites in intranet, which use a self signed CA cert itself, which squid doesn't know?

On 19.07.2017 17:36, Yuri wrote:

http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

http://i.imgur.com/A153C7A.png

 

19.07.2017 21:34, Cherukuri, Naresh пишет:

Hi All,

 

I installed Squid version 3.5.20 on RHEL 7 and generated self-signed CA certificates,  My users are complaining about certificate errors. When I looked at cache.log I see so many error messages like below. Below is my squid.conf file. Any ideas how to address below errors.

 




Cache.log

 

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 689: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 1114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD 146: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 252: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 36: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)






_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

 

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Version 3.5.20 Any Ideas

Yuri Voinov
In reply to this post by Cherukuri, Naresh

Aha,


20.07.2017 3:04, Cherukuri, Naresh пишет:

Yuri,

 

I am sorry I didn’t get you I already installed certificate on all clients(trusted root certificate authorities). You want me install proxy public key also on clients, if so were should I put the proxy public key. Below is my squid.conf file.

 

Squid.conf

key=/etc/squid/pctysquid2sslcerts/pctysquid2prod.pkey \ proxy ca public key??

This is proxy private key AFAIK.

cert=/etc/squid/pctysquid2sslcerts/pctysquid2prod.crt \ (installed certificate on IE all clients as a trusted root certificate authorities)

Yes, if it installed into clients - this is ok.

So. The only reason I can see - proxy can't see OpenSSL CA's bundle.

To make it work you should add to your squid's config one of this:

#  TAG: sslproxy_cafile
#    file containing CA certificates to use when verifying server
#    certificates while proxying <a class="moz-txt-link-freetext" href="https://">https:// URLs
#Default:
# none

#  TAG: sslproxy_capath
#    directory containing CA certificates to use when verifying
#    server certificates while proxying <a class="moz-txt-link-freetext" href="https://">https:// URLs
#Default:
# none

Proxy also should know about CA's uses for connection verification.

 

 

From: Yuri [[hidden email]]
Sent: Wednesday, July 19, 2017 4:55 PM
To: Cherukuri, Naresh; [hidden email]
Subject: Re: [squid-users] Squid Version 3.5.20 Any Ideas

 

No. Only proxy's CA public key. Private should remains on proxy only.

 

20.07.2017 2:49, Cherukuri, Naresh пишет:

Thanks Yuri for quick turnover!

 

We inly installed root certificate on all clients. We didn’t install proxy CA’s public key on clients. So you suggestion fix that we need to install both certificate and proxy ca’s public key on clients.

 

Thanks,

Naresh

 

From: squid-users [[hidden email]] On Behalf Of Yuri
Sent: Wednesday, July 19, 2017 2:25 PM
To: [hidden email]
Subject: Re: [squid-users] Squid Version 3.5.20 Any Ideas

 

One out of two. Either the Squid does not see the OpenSSL/system root CAs bundle, or the proxy CA's public key is not installed in the clients. It's all.

 

19.07.2017 23:30, Walter H. пишет:

Hello,

this seems not to be the problem, as the error messages are in cache.log, which is not a browser problem ...

the question: are the SSL bumped sites in intranet, which use a self signed CA cert itself, which squid doesn't know?

On 19.07.2017 17:36, Yuri wrote:

http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

http://i.imgur.com/A153C7A.png

 

19.07.2017 21:34, Cherukuri, Naresh пишет:

Hi All,

 

I installed Squid version 3.5.20 on RHEL 7 and generated self-signed CA certificates,  My users are complaining about certificate errors. When I looked at cache.log I see so many error messages like below. Below is my squid.conf file. Any ideas how to address below errors.

 




Cache.log

 

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 689: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 1114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD 146: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 252: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 36: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)






_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

 

 



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Version 3.5.20 Any Ideas

Yuri Voinov
In reply to this post by Cherukuri, Naresh



20.07.2017 3:09, Cherukuri, Naresh пишет:

Yuri,

 

I am new to squid I learned it through searching google. My question is I generated self-signed SSL certificates and install certificates on IE all clients. I didn’t install proxy public key. Can you tell me where  I have to put proxy public key on clients. Appreciate you help!

Ah. Based on my experience,

you require to take *public* proxy key (not private, your use keypair to setup ssl-bump configuration; do not mistake it) and install it at least into two places on client's PC:

1. Into system trusted CA storage (uses by IE/Chrome/some IM etc.)
2. Into Firefox own storage (if applicable).
3. Sometimes it is also required to setup proxy's CA public key into old JRE existing on clients. But AFAIK modern JRE uses system CA's storage and no more required this step.

Actually, this should be enough.

 

Thanks,

Naresh

 

From: Yuri [[hidden email]]
Sent: Wednesday, July 19, 2017 5:06 PM
To: Cherukuri, Naresh; [hidden email]
Subject: Re: [squid-users] Squid Version 3.5.20 Any Ideas

 

Related OpenSSL public CA bundle - in theory it should be installed together with OpenSSL.

 

20.07.2017 2:49, Cherukuri, Naresh пишет:

Thanks Yuri for quick turnover!

 

We inly installed root certificate on all clients. We didn’t install proxy CA’s public key on clients. So you suggestion fix that we need to install both certificate and proxy ca’s public key on clients.

 

Thanks,

Naresh

 

From: squid-users [[hidden email]] On Behalf Of Yuri
Sent: Wednesday, July 19, 2017 2:25 PM
To: [hidden email]
Subject: Re: [squid-users] Squid Version 3.5.20 Any Ideas

 

One out of two. Either the Squid does not see the OpenSSL/system root CAs bundle, or the proxy CA's public key is not installed in the clients. It's all.

 

19.07.2017 23:30, Walter H. пишет:

Hello,

this seems not to be the problem, as the error messages are in cache.log, which is not a browser problem ...

the question: are the SSL bumped sites in intranet, which use a self signed CA cert itself, which squid doesn't know?

On 19.07.2017 17:36, Yuri wrote:

http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

http://i.imgur.com/A153C7A.png

 

19.07.2017 21:34, Cherukuri, Naresh пишет:

Hi All,

 

I installed Squid version 3.5.20 on RHEL 7 and generated self-signed CA certificates,  My users are complaining about certificate errors. When I looked at cache.log I see so many error messages like below. Below is my squid.conf file. Any ideas how to address below errors.

 




Cache.log

 

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 689: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 1114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD 146: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 252: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 36: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)






_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

 

 



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Version 3.5.20 Any Ideas

Amos Jeffries
Administrator
In reply to this post by Yuri Voinov
On 20/07/17 09:10, Yuri wrote:

> Aha,
>
>
> 20.07.2017 3:04, Cherukuri, Naresh пишет:
>>
>> Yuri,
>>
>> I am sorry I didn’t get you I already installed certificate on all
>> clients(trusted root certificate authorities). You want me install
>> proxy public key also on clients, if so were should I put the proxy
>> public key. Below is my squid.conf file.
>>
>> Squid.conf
>>
>> key=/etc/squid/pctysquid2sslcerts/pctysquid2prod.pkey \ proxy ca
>> public key??
>>
> This is proxy private key AFAIK.

Correct. It should be the proxy private key. If the public key is put in
there and startup actually succeeds I'm not sure what broken runtime
errors will occur - nothing good anyhow.

Also, note that cert= parameter should be configured *before* the key=
parameter so Squid loads them from the right place. The very latest
releases (v4+) will fail to start if the ordering is wrong, so best to
prepare for that now.


I suspect that part of the problem here is what is being configured in
that cert= parameter. For SSL-Bump ports in current Squid it needs to
contains the self-signed *CA* certificate that Squid is using to
generate other certs from, the key= being the private key of that CA cert.

If you generate a regular proxy cert and load it there (like normal
proxy cert= would use) the bumping process will get all broken.


The ConfigExample page Yuri linked to earlier had the exact and full
process to follow for setting up the multiple different certs, keys and
file types involved with SSL-Bump.


>>
>> cert=/etc/squid/pctysquid2sslcerts/pctysquid2prod.crt \(installed
>> certificate on IE all clients as a trusted root certificate authorities)
>>
> Yes, if it installed into clients - this is ok.
>
> So. The only reason I can see - proxy can't see OpenSSL CA's bundle.
>
> To make it work you should add to your squid's config one of this:
>
> #  TAG: sslproxy_cafile
> #    file containing CA certificates to use when verifying server
> #    certificates while proxying https:// URLs
> #Default:
> # none
>
> #  TAG: sslproxy_capath
> #    directory containing CA certificates to use when verifying
> #    server certificates while proxying https:// URLs
> #Default:
> # none

Er, those are for Squid->server connections. You were correct about the
errors referring to client->Squid connections, so these are irrelevant.

If anything, the  cafile= parameter of the ssl-bump port might be
needed. Then it should point at the same CA's found in the cert=
parameter (bit weird, but that is bugs in the SSL-Bump config design).

FTR: those particular errors occur when Squid accepts a connection from
a client, begins the TLS handshake and the client suddenly disconnects
before the handshake is complete.
  The "certificate unknown" seems to be saying that either 1) the client
sent a client-cert to Squid and OpenSSL did not accept it, or 2) that
the client did not accept the auto-generated cert Squid sent.

If (1) is happening it s because the browser was not correctly
configured with the self-signed CA public cert.

If (2) is happening, then probably the cert=, key=, cafile= parameters
on the ssl-bump port are not configured right, OR browser was not
correctly configured with the self-signed CA public cert.

Or, maybe bugs in that particular Squid release SSL-Bump code. We are
constantly fixing them and 3.5.20 is now a whole year behind with
SSL-Bump fixes - many of them rather major behaviour fixes.


==> Best Practice to follow with SSL-Bump is that when having *any*
problems with the SSL-Bump process try the latest Squid release first
before spending time trying to figure it out.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Version 3.5.20 Any Ideas

Cherukuri, Naresh
Thank you Amos! Appreciate your help.

-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Amos Jeffries
Sent: Wednesday, July 19, 2017 8:55 PM
To: [hidden email]
Subject: Re: [squid-users] Squid Version 3.5.20 Any Ideas

On 20/07/17 09:10, Yuri wrote:

> Aha,
>
>
> 20.07.2017 3:04, Cherukuri, Naresh пишет:
>>
>> Yuri,
>>
>> I am sorry I didn’t get you I already installed certificate on all
>> clients(trusted root certificate authorities). You want me install
>> proxy public key also on clients, if so were should I put the proxy
>> public key. Below is my squid.conf file.
>>
>> Squid.conf
>>
>> key=/etc/squid/pctysquid2sslcerts/pctysquid2prod.pkey \ proxy ca
>> public key??
>>
> This is proxy private key AFAIK.

Correct. It should be the proxy private key. If the public key is put in there and startup actually succeeds I'm not sure what broken runtime errors will occur - nothing good anyhow.

Also, note that cert= parameter should be configured *before* the key= parameter so Squid loads them from the right place. The very latest releases (v4+) will fail to start if the ordering is wrong, so best to prepare for that now.


I suspect that part of the problem here is what is being configured in that cert= parameter. For SSL-Bump ports in current Squid it needs to contains the self-signed *CA* certificate that Squid is using to generate other certs from, the key= being the private key of that CA cert.

If you generate a regular proxy cert and load it there (like normal proxy cert= would use) the bumping process will get all broken.


The ConfigExample page Yuri linked to earlier had the exact and full
process to follow for setting up the multiple different certs, keys and
file types involved with SSL-Bump.


>>
>> cert=/etc/squid/pctysquid2sslcerts/pctysquid2prod.crt \(installed
>> certificate on IE all clients as a trusted root certificate authorities)
>>
> Yes, if it installed into clients - this is ok.
>
> So. The only reason I can see - proxy can't see OpenSSL CA's bundle.
>
> To make it work you should add to your squid's config one of this:
>
> #  TAG: sslproxy_cafile
> #    file containing CA certificates to use when verifying server
> #    certificates while proxying https:// URLs
> #Default:
> # none
>
> #  TAG: sslproxy_capath
> #    directory containing CA certificates to use when verifying
> #    server certificates while proxying https:// URLs
> #Default:
> # none

Er, those are for Squid->server connections. You were correct about the
errors referring to client->Squid connections, so these are irrelevant.

If anything, the  cafile= parameter of the ssl-bump port might be
needed. Then it should point at the same CA's found in the cert=
parameter (bit weird, but that is bugs in the SSL-Bump config design).

FTR: those particular errors occur when Squid accepts a connection from
a client, begins the TLS handshake and the client suddenly disconnects
before the handshake is complete.
  The "certificate unknown" seems to be saying that either 1) the client
sent a client-cert to Squid and OpenSSL did not accept it, or 2) that
the client did not accept the auto-generated cert Squid sent.

If (1) is happening it s because the browser was not correctly
configured with the self-signed CA public cert.

If (2) is happening, then probably the cert=, key=, cafile= parameters
on the ssl-bump port are not configured right, OR browser was not
correctly configured with the self-signed CA public cert.

Or, maybe bugs in that particular Squid release SSL-Bump code. We are
constantly fixing them and 3.5.20 is now a whole year behind with
SSL-Bump fixes - many of them rather major behaviour fixes.


==> Best Practice to follow with SSL-Bump is that when having *any*
problems with the SSL-Bump process try the latest Squid release first
before spending time trying to figure it out.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Version 3.5.20 Any Ideas

Cherukuri, Naresh
In reply to this post by Yuri Voinov

Thank you Yuri! Appreciate your help.

 

From: Yuri [mailto:[hidden email]]
Sent: Wednesday, July 19, 2017 5:15 PM
To: Cherukuri, Naresh; [hidden email]
Subject: Re: [squid-users] Squid Version 3.5.20 Any Ideas

 

 

 

20.07.2017 3:09, Cherukuri, Naresh пишет:

Yuri,

 

I am new to squid I learned it through searching google. My question is I generated self-signed SSL certificates and install certificates on IE all clients. I didn’t install proxy public key. Can you tell me where  I have to put proxy public key on clients. Appreciate you help!

Ah. Based on my experience,

you require to take *public* proxy key (not private, your use keypair to setup ssl-bump configuration; do not mistake it) and install it at least into two places on client's PC:

1. Into system trusted CA storage (uses by IE/Chrome/some IM etc.)
2. Into Firefox own storage (if applicable).
3. Sometimes it is also required to setup proxy's CA public key into old JRE existing on clients. But AFAIK modern JRE uses system CA's storage and no more required this step.

Actually, this should be enough.

 

Thanks,

Naresh

 

From: Yuri [[hidden email]]
Sent: Wednesday, July 19, 2017 5:06 PM
To: Cherukuri, Naresh; [hidden email]
Subject: Re: [squid-users] Squid Version 3.5.20 Any Ideas

 

Related OpenSSL public CA bundle - in theory it should be installed together with OpenSSL.

 

20.07.2017 2:49, Cherukuri, Naresh пишет:

Thanks Yuri for quick turnover!

 

We inly installed root certificate on all clients. We didn’t install proxy CA’s public key on clients. So you suggestion fix that we need to install both certificate and proxy ca’s public key on clients.

 

Thanks,

Naresh

 

From: squid-users [[hidden email]] On Behalf Of Yuri
Sent: Wednesday, July 19, 2017 2:25 PM
To: [hidden email]
Subject: Re: [squid-users] Squid Version 3.5.20 Any Ideas

 

One out of two. Either the Squid does not see the OpenSSL/system root CAs bundle, or the proxy CA's public key is not installed in the clients. It's all.

 

19.07.2017 23:30, Walter H. пишет:

Hello,

this seems not to be the problem, as the error messages are in cache.log, which is not a browser problem ...

the question: are the SSL bumped sites in intranet, which use a self signed CA cert itself, which squid doesn't know?

On 19.07.2017 17:36, Yuri wrote:

http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

http://i.imgur.com/A153C7A.png

 

19.07.2017 21:34, Cherukuri, Naresh пишет:

Hi All,

 

I installed Squid version 3.5.20 on RHEL 7 and generated self-signed CA certificates,  My users are complaining about certificate errors. When I looked at cache.log I see so many error messages like below. Below is my squid.conf file. Any ideas how to address below errors.

 





Cache.log

 

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 689: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 1114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD 146: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 252: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 36: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)







_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

 

 

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...