Thanks Yuri ! but i have still have the error " Error negotiating SSL on FD 13: error:00000000:lib(0):func(0):reason(0) (5/0/0) " and cannot browse to site ( as i seen you can with your squid...??? ) Created a file /etc/squid3/cabundle.pem Added Symantec certificates available here: https://knowledge.symantec.com/kb/index?page=content&actp=CROSSLINK&id=INFO2047 add sslproxy_foreign_intermediate_certs /etc/squid3/cabundle.pem and perform a squid -k reconfigure Missing something ??? Best regards -----Message d'origine----- De : Yuri Voinov [mailto:yvoinov@xxxxxxxxx] Envoyé : jeudi 27 avril 2017 22:52 À : David Touzeau <david@xxxxxxxxxxxxxx>; squid-users@xxxxxxxxxxxxxxxxxxxxx Objet : Re: 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE) Squid can't have any intermediate certificates. As by as root CA's. You can use this: # TAG: sslproxy_foreign_intermediate_certs # Many origin servers fail to send their full server certificate # chain for verification, assuming the client already has or can # easily locate any missing intermediate certificates. # # Squid uses the certificates from the specified file to fill in # these missing chains when trying to validate origin server # certificate chains. # # The file is expected to contain zero or more PEM-encoded # intermediate certificates. These certificates are not treated # as trusted root certificates, and any self-signed certificate in # this file will be ignored. #Default: # none However, you should identiry and collect them by yourself. The biggest problem: Instead of root CA's, which can be taken from Mozilla's, intermediate CAs spreaded over CA's providers, have much shorter valid period (most cases up to 5-7 years) and, by this reason, should be continiously maintained by proxy admin. Also, remove this: sslproxy_flags DONT_VERIFY_PEER sslproxy_cert_error allow all >From your config. Don't. Never. This is completely disable ANY security checks for certificates, which leads to giant vulnerability to your users. ssl_proxy_cert_error should be restricted by very specific ACL(s) in your config only for number of sites you trust. 28.04.2017 2:27, David Touzeau пишет: > Hi yuri > > I did not know if squid have Symantec intermediate certificate Squid > is installed as default... > Any howto ? > > > -----Message d'origine----- > De : squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] De > la part de Yuri Voinov Envoyé : jeudi 27 avril 2017 22:09 À : > squid-users@xxxxxxxxxxxxxxxxxxxxx Objet : Re: 3.5.25: > (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE) > > Look. It can be intermediate certificates issue. > > Does Squid have Symantec intermediate certificates? > > > 27.04.2017 22:47, David Touzeau пишет: >> Hi, >> I'm unable to access to https://www.boutique.afnor.org website. >> I would like to know if this issue cannot be fixed and must deny bump >> website to fix it. >> Without Squid the website is correctly displayed >> >> Squid claim an error page with "(71) Protocol error (TLS code: >> SQUID_ERR_SSL_HANDSHAKE)" >> >> In cache.log: "Error negotiating SSL on FD 17: >> error:00000000:lib(0):func(0):reason(0) (5/0/0)" >> >> Using the following configuration: >> >> http_port 0.0.0.0:3128 name=MyPortNameID20 ssl-bump >> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB >> cert=/etc/squid3/ssl/0c451f46b4d05031560d8195f30165cb.dyn >> sslproxy_foreign_intermediate_certs /etc/squid3/intermediate_ca.pem >> sslcrtd_program /lib/squid3/ssl_crtd -s >> /var/lib/squid/session/ssl/ssl_db -M 8MB sslcrtd_children 16 >> startup=5 >> idle=1 acl FakeCert ssl::server_name .apple.com acl FakeCert >> ssl::server_name .icloud.com acl FakeCert ssl::server_name >> .mzstatic.com acl FakeCert ssl::server_name .dropbox.com acl >> ssl_step1 at_step SslBump1 acl ssl_step2 at_step SslBump2 acl >> ssl_step3 at_step >> SslBump3 ssl_bump peek ssl_step1 ssl_bump splice FakeCert ssl_bump >> bump ssl_step2 all ssl_bump splice all >> >> sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression sslproxy_cipher >> ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED: >> !aNULL >> :!eNULL >> sslproxy_flags DONT_VERIFY_PEER >> sslproxy_cert_error allow all >> >> >> >> Openssl info >> --------------------------------------------------------------------- >> - >> ------ >> --------------------------------------------------------------------- >> - >> ------ >> --- >> >> openssl s_client -connect 195.115.26.58:443 -showcerts >> >> CONNECTED(00000003) >> depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU >> = "(c) >> 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 >> Public Primary Certification Authority - G5 verify return:1 >> depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust >> Network, CN = Symantec Class 3 Secure Server CA - G4 verify return:1 >> depth=0 C = FR, ST = Seine Saint Denis, L = ST DENIS, O = ASSOCIATION >> FRANCAISE DE NORMALISATION, OU = ASSOCIATION FRANCAISE DE >> NORMALISATION, CN = www.boutique.afnor.org verify return:1 >> --- >> Certificate chain >> 0 s:/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE DE >> NORMALISATION/OU=ASSOCIATION FRANCAISE DE >> NORMALISATION/CN=www.boutique.afnor.org >> i:/C=US/O=Symantec Corporation/OU=Symantec Trust >> Network/CN=Symantec Class 3 Secure Server CA - G4 -----BEGIN >> CERTIFICATE----- ../.. >> -----END CERTIFICATE----- >> 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust >> Network/CN=Symantec Class 3 Secure Server CA - G4 >> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 >> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public >> Primary Certification Authority - G5 -----BEGIN CERTIFICATE----- ../.. >> -----END CERTIFICATE----- >> --- >> Server certificate >> subject=/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE >> DE NORMALISATION/OU=ASSOCIATION FRANCAISE DE >> NORMALISATION/CN=www.boutique.afnor.org >> issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust >> Network/CN=Symantec Class 3 Secure Server CA - G4 >> --- >> No client certificate CA names sent >> --- >> SSL handshake has read 3105 bytes and written 616 bytes >> --- >> New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit >> Secure Renegotiation IS supported >> Compression: NONE >> Expansion: NONE >> SSL-Session: >> Protocol : TLSv1 >> Cipher : AES128-SHA >> Session-ID: >> 833B0000A2346F50C5AAFC6B5188B4EBD9304CD25411BECFF0713F8D76C65D9D >> Session-ID-ctx: >> Master-Key: >> D2DF6C62264D03D7D44AF44EB8C0B1B7AD0E650D34DF6EBEB1CBEBFE4F30CB9C6F508 >> 0 >> AA94F5 >> D6B5955DD8DF06608416 >> Key-Arg : None >> PSK identity: None >> PSK identity hint: None >> SRP username: None >> Start Time: 1493311275 >> Timeout : 300 (sec) >> Verify return code: 0 (ok) >> --- >> read:errno=0 >> >> >> >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users > -- > Bugs to the Future > -- Bugs to the Future _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users