Le 02/10/2015 04:49, Amos Jeffries a écrit :
On 2/10/2015 11:18 a.m., David Touzeau wrote:
Dear
I'm using Squid Cache: Version 3.5.9-20150922-r13918 in transparent mode
with SSL hooked
In my config, i did not bump any site ( just to pass SSL protocol to
squid in transparent mode)
I'm trying to connect to https://raj2796.wordpress.com
In cache.log
2015/10/02 00:07:05 kid1| Accepting NAT intercepted SSL bumped HTTPS
Socket connections at local=0.0.0.0:53695 remote=[::] FD 100 flags=41
2015/10/02 00:07:05 kid1| Accepting ICP messages on [::]:3130
2015/10/02 00:07:05 kid1| Sending ICP messages from [::]:3130
2015/10/02 00:07:05 kid1| Accepting SNMP messages on [::]:3401
2015/10/02 00:07:10 kid1| Error negotiating SSL connection on FD 12:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown (1/0)
2015/10/02 00:07:20 kid1| Error negotiating SSL connection on FD 17:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown (1/0)
2015/10/02 00:07:21 kid1| Error negotiating SSL connection on FD 17:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown (1/0)
2015/10/02 00:07:21 kid1| Error negotiating SSL connection on FD 17:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown (1/0)
2015/10/02 00:09:10 kid1| Error negotiating SSL connection on FD 114:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown (1/0)
And i'm unable to display the web site, browser is freeze when trying to
open website...
How can i bypass this website and force squid to not analyze certificate
on *.wordpress.com ?
Couple of problems...
My config
https_port 0.0.0.0:53695 intercept ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/etc/squid3/ssl/cb623e9bfc65772f68b84393604cd6ea.dyn
options=NO_SSLv3 dhparams=/etc/squid3/ssl/dhparam.pem
No SSLv3, but SSLv2 is allowed. TLS version negotiation relies on a
range of protocol versions from N to N+x being selectable. If you poke
holes by denying one version in the middle problems arise.
NP: SSLv2 was only removed in Squid-4.
This alone is probably your problem. But there is more you should fix to
prevent later troubles.
acl ssl_step1 at_step SslBump1
acl ssl_step2 at_step SslBump2
acl ssl_step3 at_step SslBump3
ssl_bump peek ssl_step1
ssl_bump splice all
With splice none of the ssl_proxy_* options are relevant. Apart from
initial peeking a few bytes the TLS/SSL should be blindly tunnelled
between client and server.
We intend the above config to operate as if the client has sent an
expicit-proxy a CONNECT and Squid without SSL support had received and
enacted it. Sans bugs we have not found yet, that is how 3.5.8 and later
operate.
sslproxy_cipher
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
This tells Squid to use EEC* and EC* ciphers. Squid-3.5 and older do not
support those.
sslproxy_version 0
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
sslproxy_cert_error allow all
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
Hi, thanks for those points.
Changed the config, remove all unecessaries config and upgrade to Squid
3.5.10 did not resolve the issue.
Web site still not browseable...
Notice that using a non-transparent port on Squid allow the site to be
displayed without any issue..
Best regards
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
