Search squid archive

Re: CPU Load 100% after implementing SSL Bump ....

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 23/05/2016 8:18 p.m., Sagar Malve wrote:
> Hi Team,
> 
> Squid - Version 3.5.13
> 
> 
> Please find the below Squid Cache Logs
> 2016/05/23 13:35:55 kid1| Error negotiating SSL connection on FD 138:
> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)
> 2016/05/23 13:35:55 kid1| Error negotiating SSL connection on FD 457:
> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)
> 2016/05/23 13:36:00 kid1| Error negotiating SSL connection on FD 33:
> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)
> 2016/05/23 13:36:01 kid1| Error negotiating SSL connection on FD 438:
> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)
> 2016/05/23 13:36:05 kid1| Error negotiating SSL connection on FD 555: (104)
> Connection reset by peer
<snip>

> 
> ----------------------------Cache log End
> --------------------------------------
> 
> Do we need to update openssl? I got to know these from the forum previous
> post ....
> If we need to update the openssl then where can we find the updated version
> of CA Certs ....
> 

OpenSSL and the global "Trusted CA" certificates are separate things.

Keeping either of those to date would be a good idea even if doing so
does not solve your issue. Whatever provider was used to get your
current versions should have the latest available if you need updates.


You do need to upgrade your Squid though. Current stable is 3.5.19.
If the problems persist with that, you may want to try a 4.x beta
release. There are additional fixes only available there that might be
of use.

Your current 3.5.13 version and all later ones contain the
<http://www.squid-cache.org/Doc/config/sslproxy_foreign_intermediate_certs/>
directive for loading intermediate CA certs that some servers do not
provide. You can find talk about it and an archive maintained by Yuri in
other recent threads on this list. That can resolve some of the "unknown
ca" occurances.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux