Re: Squid Version 3.5.20 Any Ideas

[Yuri <yvoinov@xxxxxxxxx>]

Aha,

20.07.2017 3:04, Cherukuri, Naresh пишет:

Yuri,

 

I am sorry I didn’t get you I already installed certificate on all clients(trusted root certificate authorities). You want me install proxy public key also on clients, if so were should I put the proxy public key. Below is my squid.conf file.

 

Squid.conf

key=/etc/squid/pctysquid2sslcerts/pctysquid2prod.pkey \ proxy ca public key??

This is proxy private key AFAIK.

cert=/etc/squid/pctysquid2sslcerts/pctysquid2prod.crt \ (installed certificate on IE all clients as a trusted root certificate authorities)

Yes, if it installed into clients - this is ok.

So. The only reason I can see - proxy can't see OpenSSL CA's bundle.

To make it work you should add to your squid's config one of this:

#  TAG: sslproxy_cafile
#    file containing CA certificates to use when verifying server
#    certificates while proxying https:// URLs
#Default:
# none

#  TAG: sslproxy_capath
#    directory containing CA certificates to use when verifying
#    server certificates while proxying https:// URLs
#Default:
# none

Proxy also should know about CA's uses for connection verification.

 

 

From: Yuri [mailto:yvoinov@xxxxxxxxx]
Sent: Wednesday, July 19, 2017 4:55 PM
To: Cherukuri, Naresh; squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: Squid Version 3.5.20 Any Ideas

 

No. Only proxy's CA public key. Private should remains on proxy only.

 

20.07.2017 2:49, Cherukuri, Naresh пишет:

Thanks Yuri for quick turnover!

 

We inly installed root certificate on all clients. We didn’t install proxy CA’s public key on clients. So you suggestion fix that we need to install both certificate and proxy ca’s public key on clients.

 

Thanks,

Naresh

 

From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Yuri
Sent: Wednesday, July 19, 2017 2:25 PM
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: Squid Version 3.5.20 Any Ideas

 

One out of two. Either the Squid does not see the OpenSSL/system root CAs bundle, or the proxy CA's public key is not installed in the clients. It's all.

 

19.07.2017 23:30, Walter H. пишет:

Hello,

this seems not to be the problem, as the error messages are in cache.log, which is not a browser problem ...

the question: are the SSL bumped sites in intranet, which use a self signed CA cert itself, which squid doesn't know?

On 19.07.2017 17:36, Yuri wrote:

http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

http://i.imgur.com/A153C7A.png

 

19.07.2017 21:34, Cherukuri, Naresh пишет:

Hi All,

 

I installed Squid version 3.5.20 on RHEL 7 and generated self-signed CA certificates,  My users are complaining about certificate errors. When I looked at cache.log I see so many error messages like below. Below is my squid.conf file. Any ideas how to address below errors.

 

Cache.log

 

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 689: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 1114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD 146: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 252: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 36: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

_______________________________________________

squid-users mailing list

squid-users@xxxxxxxxxxxxxxxxxxxxx

http://lists.squid-cache.org/listinfo/squid-users

 

 

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users