Hey, I have not published the RHEL packages on the squid-cache wiki at: http://wiki.squid-cache.org/KnowledgeBase/RedHat And will try to add the details there in the next days. You can try to use the RHEL which is similar to the centos and on the same server which is mentioned in this page: http://wiki.squid-cache.org/KnowledgeBase/CentOS#Squid-3.5 But replace the centos with rhel ie: baseurl=http://www1.ngtech.co.il/repo/rhel/$releasever/$basearch/ There is an up-to-date 3.5.26 package which you should try to use in any case. I don’t know why you encounter this issue but it is a good time to know that there is an up-to-date squid rpm for RHEL 7. All The Bests, Eliezer ---- http://ngtech.co.il/lmgtfy/ Linux System Administrator Mobile: +972-5-28704261 Email: eliezer@xxxxxxxxxxxx From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Cherukuri, Naresh Sent: Wednesday, July 19, 2017 16:46 To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: Squid Version 3.5.20 Hi All, I installed Squid version 3.5.20 on RHEL 7 and generated self-signed CA certificates, My users are complaining about certificate errors. When I looked at cache.log I see so many error messages like below. Below is my squid.conf file. Any ideas how to address below errors. Squid.conf: max_filedesc 4096 visible_hostname pctysqd2prod logfile_rotate 10 access_log stdio:/var/log/squid/access.log squid acl localnet src 172.16.0.0/16 acl backoffice_users src 10.136.0.0/13 acl hcity_backoffice_users src 10.142.0.0/15 acl register_users src 10.128.0.0/13 acl hcity_register_users src 10.134.0.0/15 acl partycity url_regex partycity acl SSL_ports port 443 acl Safe_ports port 80 # http #acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https #acl Safe_ports port 70 # gopher #acl Safe_ports port 210 # wais #acl Safe_ports port 1025-65535 # unregistered ports #acl Safe_ports port 280 # http-mgmt #acl Safe_ports port 488 # gss-http #acl Safe_ports port 591 # filemaker #acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT #acl allowed_sites {dst|dstdomain|dstdom_regex|url_regex) "/path/to/file" acl backoffice_allowed_sites url_regex "/etc/squid/backoffice_allowed_sites" acl hcity_backoffice_allowed_sites url_regex "/etc/squid/backoffice_allowed_sites" acl backoffice_blocked_sites url_regex "/etc/squid/backoffice_blocklist" acl hcity_backoffice_blocked_sites url_regex "/etc/squid/backoffice_blocklist" acl register_allowed_sites url_regex "/etc/squid/register_allowed_sites" acl hcity_register_allowed_sites url_regex "/etc/squid/hcity_register_allowed_sites" http_access allow localnet register_allowed_sites http_access deny backoffice_users backoffice_blocked_sites http_access deny hcity_backoffice_users backoffice_blocked_sites http_access allow backoffice_users backoffice_allowed_sites http_access allow hcity_backoffice_users backoffice_allowed_sites http_access allow register_users register_allowed_sites http_access allow hcity_register_users hcity_register_allowed_sites no_cache deny partycity http_access deny all #http_access allow manager localhost #http_access deny manager # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports #http_access deny CONNECT !SSL_ports http_access allow CONNECT SSL_ports # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user http_access deny to_localhost # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed #http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 ssl-bump \ key=/etc/squid/pctysquid2sslcerts/pctysquid2prod.pkey \ cert=/etc/squid/pctysquid2sslcerts/pctysquid2prod.crt \ generate-host-certificates=on dynamic_cert_mem_cache_size=4MB acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all sslproxy_cert_error allow all always_direct allow all sslproxy_flags DONT_VERIFY_PEER sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1 # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /cache/squid 10000 16 256 # Leave coredumps in the first cache dir #rdescoredump_dir /var/spool/squid coredump_dir /var/log/squid/squid # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 #url_rewrite_access allow all #url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf Cache.log 2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 689: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0) 2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 1114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0) 2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD 146: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0) 2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 252: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0) 2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 36: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0) _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
