Hello,
I am using squid 3.5.12(detailed version info is below) on Ubuntu 16.04.1 LTS server. My squid config is at, http://pastebin.com/raw/b8RZ67u9
I have configured squid as intercept proxy bumping all SSL https connections. Setup is working fine for many things like browsing,
even on command line like wget i can download via https as i have installed root certificate within my client os.
My issue is whenever i try to add extra repository via command, i.e.
sudo add-apt-repository ppa:ondrej/php
command fails with output "Cannot add PPA: 'ppa:~ondrej/ubuntu/php'.ERROR: '~ondrej' user or team does not exist." and in squid's cache and access.log following entries can be located for this request,
==> /var/log/squid/access.log <==
1474302162.378 439 192.168.1.66 TAG_NONE/200 0 CONNECT 91.189.89.223:443 - ORIGINAL_DST/91.189.89.223 -
==> /var/log/squid/cache.log <==
2016/09/19 21:52:42 kid1| Error negotiating SSL connection on FD 21: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (1/0)
2016/09/19 21:52:42 kid1| hold write on SSL connection on FD 22
==> /var/log/squid/access.log <==
1474302162.885 403 192.168.1.66 TAG_NONE/200 0 CONNECT 91.189.89.223:443 - ORIGINAL_DST/91.189.89.223 -
==> /var/log/squid/cache.log <==
2016/09/19 21:52:42 kid1| Error negotiating SSL connection on FD 21: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (1/0)
in the above output 192.168.1.66 is my client requesting that request and as you can see in cache.log there is certificate negotiation error. I have tried to fiddle with all options provided at http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit but it seems i am out of luck after almost half of my day battling this issue.
Can someone tell me they are successful with this issue? if so can you share your squid.conf relevant section?
$ squid -v
Squid Cache: Version 3.5.12
Service Name: squid
Ubuntu linux
configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--with-openssl' '--enable-ssl-crtd' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-build-info=Ubuntu linux' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security'
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
