Search squid archive

SSL issues

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello List, 
I've finally got a squid3 (squid3.4-4, compiled from sources on Debian) with SSL interception solution working quite decently.

Now, trying to make it to work better I found some entries in the cache.log file, like these:

2014/07/28 16:07:15 kid1| fwdNegotiateSSL: Error negotiating SSL connection on FD 683: error:14092105:SSL routines:SSL3_GET_SERVER_HELLO:wrong cipher returned (1/-1/0) 

2014/07/28 16:07:15 kid1| fwdNegotiateSSL: Error negotiating SSL connection on FD 160: error:14092105:SSL routines:SSL3_GET_SERVER_HELLO:wrong cipher returned (1/-1/0) 

2014/07/28 16:07:37 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 117: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) 

2014/07/28 16:07:40 kid1| UPGRADE WARNING: URL rewriter reponded with garbage ' 10.10.25.74/- - GET'. Future Squid will treat this as part of the URL. 

2014/07/28 16:07:52 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 922: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) 

2014/07/28 16:08:55 kid1| UPGRADE WARNING: URL rewriter reponded with garbage ' 10.10.25.75/- - GET'. Future Squid will treat this as part of the URL. 


I've been looking for solutions to this with no luck.

So, these are my questions:
1) is it possible to check or view a FD content in order to troubleshoot this?
2) could you please share some light to solve this?
3) how do I apply a patch to upgrade my actual squid solution?

Thank you!
Ikna


The SSL part of squid.conf:

http_port 3129
http_port 3128 intercept
https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=512MB cert=/etc/squid3/certs/ssl/public2.pem key=/etc/squid3/certs/ssl/private.pem options=NO_SSLv2,NO_SSLv3 capath=/etc/ssl/certs

acl SSL_whitelist dstdomain "/etc/squid3/acl/ssl_whitelist.acl"
acl SSL_whitelist_ip dst "/etc/squid3/acl/ssl_whitelist_ip.acl"

ssl_bump none localhost
ssl_bump none SSL_whitelist
ssl_bump none SSL_whitelist_ip

ssl_bump server-first all
sslproxy_capath /etc/ssl/certs
sslproxy_options NO_SSLv2,NO_SSLv3
sslproxy_cert_error allow all

sslcrtd_program /usr/lib/squid3/ssl_crtd -s /usr/lib/ssl_db -M 200MB
sslcrtd_children 40
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux