Non intercepted is not bypassed… Squid has coupe options for the “http_port” option. One that you are using is intercept and the other is without intercept. What happens when you try to connect to this website when you are defining another port without “Intercept” and define the proxy in the browser settings? Let me know if something is missing in the picture. Eliezer ---- http://ngtech.co.il/lmgtfy/ Linux System Administrator Mobile: +972-5-28704261 Email: eliezer@xxxxxxxxxxxx From: Sameh Onaissi [mailto:sameh.onaissi@xxxxxxxxx] Sent: Sunday, January 15, 2017 3:25 AM To: Eliezer Croitoru <eliezer@xxxxxxxxxxxx> Cc: Amos Jeffries <squid3@xxxxxxxxxxxxx>; squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: A bunch of SSL errors I am not sure why Hello, I assume bypassed are non intercepted? Once the site IP is on the bypass list, it opened without an issue. There are a few other .http://gov.co sites who have the same problem too. Attached is a screenshot of the error before I added the site to the bypass list. squid -v Squid Cache: Version 3.5.22 Service Name: squid Ubuntu linux configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now -Wl,--as-needed' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--with-openssl' '--enable-ssl' '--enable-ssl-crtd' '--enable-build-info=Ubuntu linux' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now -Wl,--as-needed' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security' @ Amos: "* Check that the set of "global trusted CA" installed on your Squid machiene is up to date.” I recreated the set recently. * Try the latest Squid-4, which can auto-download intermediate certificates. Is squid-4 stable for production? Thank you, Sameh Onaissi Sol Cable Visión Cel: 316-3023424 Email: mailto:sameh.onaissi@xxxxxxxxx Piensa en el medio ambiente antes de imprimir este email. On Jan 14, 2017, at 12:07 PM, Eliezer Croitoru <mailto:eliezer@xxxxxxxxxxxx> wrote: I have not experienced this issue on my testing lab when accessing: https://web.dlinkla.com/websys $ squid -v Squid Cache: Version 3.5.23 Service Name: squid configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--verbose' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam,fake' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,LDAP_group,delayer,file_userip,SQL_session,unix_group,session,time_quota' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi' '--enable-ssl-crtd' '--enable-icmp' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' '--with-included-ltdl' '--disable-arch-native' '--enable-ecap' '--without-nettle' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig: /usr/share/pkgconfig' --enable-ltdl-convenience When the proxy is defined in the browser. Can you verify if it affects only intercepted connections or also non-intercepted ones? Thanks, Eliezer ---- Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: mailto:eliezer@xxxxxxxxxxxx -----Original Message----- From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Amos Jeffries Sent: Saturday, January 14, 2017 6:51 AM To: mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: A bunch of SSL errors I am not sure why On 14/01/2017 4:27 a.m., Sameh Onaissi wrote: Hello Eliezer, all, I removed the cipher and the problem is still there: 2017/01/13 10:20:50 kid1| Error negotiating SSL connection on FD 138: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (1/0) The CA used to sign the remote endpoints certificate is not trusted. Or an intermediary certificate is missing. * Check that the set of "global trusted CA" installed on your Squid machiene is up to date. * Try the latest Squid-4, which can auto-download intermediate certificates. 2017/01/13 10:21:05 kid1| Error negotiating SSL connection on FD 191: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (1/0) 2017/01/13 10:21:17 kid1| Error negotiating SSL connection on FD 194: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (1/0) 2017/01/13 10:21:17 kid1| Error negotiating SSL connection on FD 198: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (1/0) 2017/01/13 10:21:18 kid1| Error negotiating SSL connection on FD 194: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (1/0) 2017/01/13 10:21:18 kid1| Error negotiating SSL connection on FD 194: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (1/0) 2017/01/13 10:21:19 kid1| Error negotiating SSL connection on FD 194: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (1/0) The obsolete SSL protocol is being used. 2017/01/13 10:21:24 kid1| Error negotiating SSL connection on FD 163: Closed by client The client disconnected. You can do nothing about that. 2017/01/13 10:21:39 kid1| Error negotiating SSL connection on FD 250: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (1/0) 2017/01/13 10:21:42 kid1| Error negotiating SSL on FD 298: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0) "certificate verify failed" says what it means. 2017-01-13 10:21:53 [29866] Request(everyone/deny/-) https://accounts.youtube.com/accounts/CheckConnection?pmpo=https://acc ounts.google.com&v=-1574475776×tamp=1484320896449 10.0.0.127/10.0.0.127 - GET REDIRECT 2017/01/13 10:21:56 kid1| Error negotiating SSL connection on FD 109: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (1/0) 2017/01/13 10:21:56 kid1| Error negotiating SSL connection on FD 309: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (1/0) 2017/01/13 10:22:25 kid1| Error negotiating SSL connection on FD 155: Closed by client Amos _______________________________________________ squid-users mailing list mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
