On 2/10/2015 11:18 a.m., David Touzeau wrote: > > Dear > > I'm using Squid Cache: Version 3.5.9-20150922-r13918 in transparent mode > with SSL hooked > In my config, i did not bump any site ( just to pass SSL protocol to > squid in transparent mode) > > I'm trying to connect to https://raj2796.wordpress.com > > In cache.log > > 2015/10/02 00:07:05 kid1| Accepting NAT intercepted SSL bumped HTTPS > Socket connections at local=0.0.0.0:53695 remote=[::] FD 100 flags=41 > 2015/10/02 00:07:05 kid1| Accepting ICP messages on [::]:3130 > 2015/10/02 00:07:05 kid1| Sending ICP messages from [::]:3130 > 2015/10/02 00:07:05 kid1| Accepting SNMP messages on [::]:3401 > 2015/10/02 00:07:10 kid1| Error negotiating SSL connection on FD 12: > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > unknown (1/0) > 2015/10/02 00:07:20 kid1| Error negotiating SSL connection on FD 17: > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > unknown (1/0) > 2015/10/02 00:07:21 kid1| Error negotiating SSL connection on FD 17: > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > unknown (1/0) > 2015/10/02 00:07:21 kid1| Error negotiating SSL connection on FD 17: > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > unknown (1/0) > 2015/10/02 00:09:10 kid1| Error negotiating SSL connection on FD 114: > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > unknown (1/0) > > And i'm unable to display the web site, browser is freeze when trying to > open website... > > How can i bypass this website and force squid to not analyze certificate > on *.wordpress.com ? > Couple of problems... > > My config > https_port 0.0.0.0:53695 intercept ssl-bump > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > cert=/etc/squid3/ssl/cb623e9bfc65772f68b84393604cd6ea.dyn > options=NO_SSLv3 dhparams=/etc/squid3/ssl/dhparam.pem No SSLv3, but SSLv2 is allowed. TLS version negotiation relies on a range of protocol versions from N to N+x being selectable. If you poke holes by denying one version in the middle problems arise. NP: SSLv2 was only removed in Squid-4. This alone is probably your problem. But there is more you should fix to prevent later troubles. > acl ssl_step1 at_step SslBump1 > acl ssl_step2 at_step SslBump2 > acl ssl_step3 at_step SslBump3 > ssl_bump peek ssl_step1 > ssl_bump splice all With splice none of the ssl_proxy_* options are relevant. Apart from initial peeking a few bytes the TLS/SSL should be blindly tunnelled between client and server. We intend the above config to operate as if the client has sent an expicit-proxy a CONNECT and Squid without SSL support had received and enacted it. Sans bugs we have not found yet, that is how 3.5.8 and later operate. > sslproxy_cipher > EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS > This tells Squid to use EEC* and EC* ciphers. Squid-3.5 and older do not support those. > sslproxy_version 0 > sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE > sslproxy_cert_error allow all Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
