On 20/09/2016 4:42 a.m., Hardik Dangar wrote: > Hello, > > I am using squid 3.5.12(detailed version info is below) on Ubuntu 16.04.1 > LTS server. My squid config is at, http://pastebin.com/raw/b8RZ67u9 > > I have configured squid as intercept proxy bumping all SSL https > connections. Setup is working fine for many things like browsing, > even on command line like wget i can download via https as i have installed > root certificate within my client os. > > My issue is whenever i try to add extra repository via command, i.e. > sudo add-apt-repository ppa:ondrej/php > command fails with output "Cannot add PPA: 'ppa:~ondrej/ubuntu/php'.ERROR: > '~ondrej' user or team does not exist." and in squid's cache and access.log > following entries can be located for this request, > > ==> /var/log/squid/access.log <== > 1474302162.378 439 192.168.1.66 TAG_NONE/200 0 CONNECT 91.189.89.223:443 > - ORIGINAL_DST/91.189.89.223 - > > ==> /var/log/squid/cache.log <== > 2016/09/19 21:52:42 kid1| Error negotiating SSL connection on FD 21: > error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (1/0) > 2016/09/19 21:52:42 kid1| hold write on SSL connection on FD 22 > > ==> /var/log/squid/access.log <== > 1474302162.885 403 192.168.1.66 TAG_NONE/200 0 CONNECT 91.189.89.223:443 > - ORIGINAL_DST/91.189.89.223 - > > ==> /var/log/squid/cache.log <== > 2016/09/19 21:52:42 kid1| Error negotiating SSL connection on FD 21: > error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (1/0) > > in the above output 192.168.1.66 is my client requesting that request and > as you can see in cache.log there is certificate negotiation error. I have > tried to fiddle with all options provided at http://wiki.squid-cache.org/ > ConfigExamples/Intercept/SslBumpExplicit but it seems i am out of luck > after almost half of my day battling this issue. > > Can someone tell me they are successful with this issue? if so can you > share your squid.conf relevant section? > > $ squid -v > Squid Cache: Version 3.5.12 Ubuntu Squid package does not build with SSL functionality. When re-building your Squid with SSL-Bump features it is important to always use teh very latest Squid release. SSL/TLS and bumping are part of an ongoing arms race situation. Things are constantly changing and software from as little as a year ago is unlikly to work 100% well with intercepting ('bumping') encryption from today. First thing to try is to rebuild with squid 3.5.20 or .21 and see if the problem remains. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
