Hi yuri I did not know if squid have Symantec intermediate certificate Squid is installed as default... Any howto ? -----Message d'origine----- De : squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] De la part de Yuri Voinov Envoyé : jeudi 27 avril 2017 22:09 À : squid-users@xxxxxxxxxxxxxxxxxxxxx Objet : Re: 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE) Look. It can be intermediate certificates issue. Does Squid have Symantec intermediate certificates? 27.04.2017 22:47, David Touzeau пишет: > Hi, > I'm unable to access to https://www.boutique.afnor.org website. > I would like to know if this issue cannot be fixed and must deny bump > website to fix it. > Without Squid the website is correctly displayed > > Squid claim an error page with "(71) Protocol error (TLS code: > SQUID_ERR_SSL_HANDSHAKE)" > > In cache.log: "Error negotiating SSL on FD 17: > error:00000000:lib(0):func(0):reason(0) (5/0/0)" > > Using the following configuration: > > http_port 0.0.0.0:3128 name=MyPortNameID20 ssl-bump > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > cert=/etc/squid3/ssl/0c451f46b4d05031560d8195f30165cb.dyn > sslproxy_foreign_intermediate_certs /etc/squid3/intermediate_ca.pem > sslcrtd_program /lib/squid3/ssl_crtd -s > /var/lib/squid/session/ssl/ssl_db -M 8MB sslcrtd_children 16 startup=5 > idle=1 acl FakeCert ssl::server_name .apple.com acl FakeCert > ssl::server_name .icloud.com acl FakeCert ssl::server_name > .mzstatic.com acl FakeCert ssl::server_name .dropbox.com acl ssl_step1 > at_step SslBump1 acl ssl_step2 at_step SslBump2 acl ssl_step3 at_step > SslBump3 ssl_bump peek ssl_step1 ssl_bump splice FakeCert ssl_bump > bump ssl_step2 all ssl_bump splice all > > sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression sslproxy_cipher > ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED: > !aNULL > :!eNULL > sslproxy_flags DONT_VERIFY_PEER > sslproxy_cert_error allow all > > > > Openssl info > ---------------------------------------------------------------------- > ------ > ---------------------------------------------------------------------- > ------ > --- > > openssl s_client -connect 195.115.26.58:443 -showcerts > > CONNECTED(00000003) > depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU > = "(c) > 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 > Public Primary Certification Authority - G5 verify return:1 > depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, > CN = Symantec Class 3 Secure Server CA - G4 verify return:1 > depth=0 C = FR, ST = Seine Saint Denis, L = ST DENIS, O = ASSOCIATION > FRANCAISE DE NORMALISATION, OU = ASSOCIATION FRANCAISE DE > NORMALISATION, CN = www.boutique.afnor.org verify return:1 > --- > Certificate chain > 0 s:/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE DE > NORMALISATION/OU=ASSOCIATION FRANCAISE DE > NORMALISATION/CN=www.boutique.afnor.org > i:/C=US/O=Symantec Corporation/OU=Symantec Trust > Network/CN=Symantec Class 3 Secure Server CA - G4 -----BEGIN > CERTIFICATE----- ../.. > -----END CERTIFICATE----- > 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust > Network/CN=Symantec Class 3 Secure Server CA - G4 > i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 > VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public > Primary Certification Authority - G5 -----BEGIN CERTIFICATE----- ../.. > -----END CERTIFICATE----- > --- > Server certificate > subject=/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE > DE NORMALISATION/OU=ASSOCIATION FRANCAISE DE > NORMALISATION/CN=www.boutique.afnor.org > issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust > Network/CN=Symantec Class 3 Secure Server CA - G4 > --- > No client certificate CA names sent > --- > SSL handshake has read 3105 bytes and written 616 bytes > --- > New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > Cipher : AES128-SHA > Session-ID: > 833B0000A2346F50C5AAFC6B5188B4EBD9304CD25411BECFF0713F8D76C65D9D > Session-ID-ctx: > Master-Key: > D2DF6C62264D03D7D44AF44EB8C0B1B7AD0E650D34DF6EBEB1CBEBFE4F30CB9C6F5080 > AA94F5 > D6B5955DD8DF06608416 > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1493311275 > Timeout : 300 (sec) > Verify return code: 0 (ok) > --- > read:errno=0 > > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -- Bugs to the Future _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
