Re: Redirecting to DIRECT_CONNECT failed ssl-bump connections

Yuri Voinov <yvoinov@xxxxxxxxx> · Wed, 11 Feb 2015 14:49:13 +0600



    First of all,

    
    read this:

    
    http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

    
    Second - no way to find what site generates this error excluding
    user complains.

    
    WBR, Yuri.

    
    11.02.15 11:25, Luis Miguel Silva
      пишет:

    
      Dear all,
        

        I'm seeing several error messages in my cache.log,
          complaining that the destination certificate is invalid:
        
          2015/02/08 19:27:28 kid1| fwdNegotiateSSL: Error
            negotiating SSL connection on FD 22: error:14090086:SSL
            routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
            failed (1/-1/0)
          2015/02/08 19:27:28 kid1| clientNegotiateSSL: Error
            negotiating SSL connection on FD 20: error:14094418:SSL
            routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)
          2015/02/08 19:27:32 kid1| fwdNegotiateSSL: Error
            negotiating SSL connection on FD 50: error:14090086:SSL
            routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
            failed (1/-1/0)
          2015/02/08 19:27:33 kid1| clientNegotiateSSL: Error
            negotiating SSL connection on FD 49: error:14094416:SSL
            routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
            (1/0)
          2015/02/08 19:27:33 kid1| fwdNegotiateSSL: Error
            negotiating SSL connection on FD 50: error:14090086:SSL
            routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
            failed (1/-1/0)
          2015/02/08 19:27:33 kid1| clientNegotiateSSL: Error
            negotiating SSL connection on FD 49: error:14094418:SSL
            routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)
          2015/02/08 19:27:34 kid1| clientNegotiateSSL: Error
            negotiating SSL connection on FD 49: error:14094418:SSL
            routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)
          2015/02/08 19:27:37 kid1| clientNegotiateSSL: Error
            negotiating SSL connection on FD 50: error:14094418:SSL
            routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)
          2015/02/08 19:27:37 kid1| fwdNegotiateSSL: Error
            negotiating SSL connection on FD 51: error:14090086:SSL
            routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
            failed (1/-1/0)
          2015/02/08 19:27:37 kid1| clientNegotiateSSL: Error
            negotiating SSL connection on FD 50: error:14094416:SSL
            routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
            (1/0)
          2015/02/08 19:27:39 kid1| fwdNegotiateSSL: Error
            negotiating SSL connection on FD 51: error:14090086:SSL
            routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
            failed (1/-1/0)
          2015/02/08 19:27:39 kid1| clientNegotiateSSL: Error
            negotiating SSL connection on FD 50: error:14094416:SSL
            routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
            (1/0)
          2015/02/08 19:27:40 kid1| clientNegotiateSSL: Error
            negotiating SSL connection on FD 50: error:14094416:SSL
            routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
            (1/0)
          2015/02/08 19:27:40 kid1| clientNegotiateSSL: Error
            negotiating SSL connection on FD 50: error:14094416:SSL
            routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
            (1/0)
          2015/02/08 19:27:41 kid1| clientNegotiateSSL: Error
            negotiating SSL connection on FD 50: error:14094416:SSL
            routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
            (1/0)
          2015/02/08 19:27:42 kid1| fwdNegotiateSSL: Error
            negotiating SSL connection on FD 51: error:14090086:SSL
            routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
            failed (1/-1/0)
          2015/02/08 19:27:42 kid1| clientNegotiateSSL: Error
            negotiating SSL connection on FD 50: error:14094416:SSL
            routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
            (1/0)
          2015/02/08 19:27:42 kid1| clientNegotiateSSL: Error
            negotiating SSL connection on FD 52: error:14094416:SSL
            routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
            (1/0)
        
        
        Is there a way for me to intercept these and, when they
          happen, allow a direct connection between the client and the
          destination?

        
        In other words, I want to ssl-bump ALL connections *but*,
          if we encounter certificate errors, I would like to make a
          direct connection instead. Is this possible?
        

        Thank you,
        Luis
      
      
      _______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

    
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users