Search squid archive

Re: Re: squid 3.1 - endless loop IIS webserver

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 13.03.2012 21:21, kadvar wrote:

Hi,

Hi, Thanks for that. I tried your recommendations and now I get this.
2012/03/13 12:11:25| clientNegotiateSSL: Error negotiating SSL connection on FD 18: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca 
(1/0)
2012/03/13 12:11:25| clientNegotiateSSL: Error negotiating SSL connection on FD 20: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca 
(1/0)
2012/03/13 12:11:27| clientNegotiateSSL: Error negotiating SSL connection on FD 18: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca 
(1/0)

Adding ssl sslflags=NO_VERIFY_PEER to the cache_peer line gives:

2012/03/13 12:35:23| TCP connection to 192.168.124.169/443 failed
2012/03/13 12:35:23| SSL unknown certificate error 20 in /CN=savitr69
2012/03/13 12:35:23| SSL unknown certificate error 20 in /CN=savitr69
2012/03/13 12:35:23| fwdNegotiateSSL: Error negotiating SSL connection on FD 20: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate 
verify failed (1/-1/0)

I'm a bit confused about the actual interaction between squid and the
backend IIS server. The programmer has generated an ssl cert on the iis 
server, I have generated an ssl cert on squid. When I type
https://www.example.com/Login.aspx, it asks me to add an exception for the 
squid box but the request now hangs at the iis server.
There are two very separate TCP links. Each having separate TLS done on them. The traffic is fully decrypted on arrival into Squid and re-encrypted for transfer to IIS.
Notice how there are two logged message prefixes "clientNegotiateSSL:" and "fwdNegotiateSSL:". 
 "clientNegotiateSSL:" is the browser->Squid link having problems.
 "fwdNegotiateSSL:" is the Squid->IIS link having problems.
fwdNegotiateSSL is likely having problems because the flag you set was NO_VERIFY_PEER instead of sslflags=DONT_VERIFY_PEER. So it tried to verify and failed.
As per my understanding according to the current setup, when a user visits www.example.com/Login.aspx he is presented with a "Add exception" window for the squid box, after accepting he should again be presented with an "add 
exception" window from the iis server, this never happens.
No that should not happen. The transport security between Squid and IIS is *only* on the transport between them. The browser has nothing to do with that. 


Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux