ok, Alex, this are the errors on cache.log (for 2 different tests) 2017/12/06 16:01:52 kid1| Error negotiating SSL on FD 18: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0) 2017/12/06 16:01:52 kid1| Error negotiating SSL on FD 25: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0) 2017/12/06 16:01:52 kid1| Error negotiating SSL on FD 26: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0) 2017/12/06 16:02:10 kid1| send: (111) Connection refused 2017/12/06 16:02:10 kid1| Closing Pinger socket on FD 36 2017/12/06 16:02:23 kid1| Starting new ssl_crtd helpers... 2017/12/06 16:02:23 kid1| helperOpenServers: Starting 1/16 'ssl_crtd' processes 2017/12/06 16:02:23 kid1| helperOpenServers: Starting 1/16 'ssl_crtd' processes 2017/12/06 16:02:23 kid1| Error negotiating SSL on FD 67: error:00000000:lib(0): func(0):reason(0) (5/0/0) 2017/12/06 16:02:23 kid1| Error negotiating SSL on FD 68: error:00000000:lib(0): func(0):reason(0) (5/0/0) 2017/12/06 16:02:23 kid1| Error negotiating SSL on FD 70: error:00000000:lib(0): func(0):reason(0) (5/0/0) 2017/12/06 16:02:23 kid1| Error negotiating SSL on FD 69: error:00000000:lib(0): func(0):reason(0) (5/0/0) 2017/12/06 16:02:23 kid1| Error negotiating SSL on FD 75: error:00000000:lib(0): func(0):reason(0) (5/0/0) 2017/12/06 16:02:23 kid1| Error negotiating SSL on FD 74: error:00000000:lib(0): func(0):reason(0) (5/0/0) 2017/12/06 16:02:23 kid1| Starting new ssl_crtd helpers... 2017/12/06 16:02:23 kid1| helperOpenServers: Starting 1/16 'ssl_crtd' processes 2017/12/06 16:02:23 kid1| Starting new ssl_crtd helpers... 2017/12/06 16:02:23 kid1| helperOpenServers: Starting 1/16 'ssl_crtd' processes 2017/12/06 16:02:23 kid1| Starting new ssl_crtd helpers... 2017/12/06 16:02:23 kid1| helperOpenServers: Starting 1/16 'ssl_crtd' processes 2017/12/06 16:02:23 kid1| Starting new ssl_crtd helpers... 2017/12/06 16:02:23 kid1| helperOpenServers: Starting 1/16 'ssl_crtd' processes 2017/12/06 16:02:37 kid1| Error negotiating SSL connection on FD 61: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) Best, Hugo 2017-12-06 15:54 GMT-03:00 Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx>: > On 12/06/2017 11:45 AM, Hugo Saavedra wrote: > >> Currently we have cache.log disabled for performance. > > With default debug_options, cache.log should not affect performance. If > it does in your setup, then there is probably a problem that you should > solve (without disabling cache.log). > > >> any clues? > > You are probably not supplying enough information for others to guess > what the problem is. Enabling cache.log may be the best next step. You > can also try logging %err_code/%err_detail to access.log but not all > errors populate those two logformat %codes so YMMV. > > Alex. > > >> 2017-12-06 14:51 GMT-03:00 Enrico Heine <flashdown@xxxxxxxxxxxxx>: >>> Hi, >>> >>> Can you confirm that squid is able to resolve these hostnames? If not try >>> browsing to them without https and check if squid gives you an error >>> message. >>> >>> Did you check the cache.log as well? >>> >>> Br Enrico >>> >>> Am 6. Dezember 2017 17:38:24 MEZ schrieb Hugo Saavedra >>> <hugo.saavedra.oteiza@xxxxxxxxx>: >>>> >>>> Hi All, >>>> >>>> We have the following setup of a transparent squid box: >>>> OS: CentOS release 6.9 (Final) >>>> Squid Cache: Version 3.5.26-20170625-r14174 >>>> Compile options: >>>> '--with-included-ltdl' '--enable-icap-client' >>>> '--enable-delay-pools' '--with-openssl' '--enable-ssl-crtd' >>>> '--enable-icmp' '--enable-snmp' '--prefix=/usr' >>>> '--includedir=/usr/include' '--datadir=/usr/share' >>>> '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' >>>> '--localstatedir=/var' '--sysconfdir=/etc/squid' >>>> --enable-ltdl-convenience >>>> >>>> Endpoints are redirected to the Squid box using a policy route for >>>> TCP80/443 on a Fortigate firewall. All http/80 traffic works well. We >>>> are using ssl bump for ssl, but there is an strange behavior, some >>>> websites opens well, but some ones breaks and getting TAG_NONE/503 >>>> errors in the access log: >>>> >>>> 1512561423.930 1 192.168.1.108 TAG_NONE/503 31435 POST >>>> https://api.chatlio.com/v1/p/visitor/session/new - HIER_NONE/- >>>> text/html >>>> 1512562220.870 1 192.168.1.158 TAG_NONE/503 12386 GET >>>> >>>> https://tile-service.weather.microsoft.com/es-CL/livetile/front/-33.44,-70.65? >>>> - HIER_NONE/- text/html >>>> 1512562220.870 1 192.168.1.158 TAG_NONE/503 12386 GET >>>> https://service.weather.microsoft.com/appex/DesktopTile/Badge? - >>>> HIER_NONE/- text/html >>>> 1512566858.355 186 192.168.1.104 TAG_NONE/503 31436 GET >>>> >>>> https://www.mercantil.com/empresa/reac-importadora-spa/estaci%C3%B3n-central/300469639/esp >>>> - HIER_NONE/- text/html >>>> >>>> In the same time-range, other websites loads well >>>> >>>> 1512561134.548 306 192.168.1.112 TCP_MISS/302 572 GET >>>> https://loadm.exelator.com/load/? - ORIGINAL_DST/63.251.252.12 >>>> image/gif >>>> 1512561139.701 216 192.168.1.148 TCP_MISS/200 386 POST >>>> https://cloud-ecs.gravityzone.bitdefender.com/hydra- >>>> ORIGINAL_DST/107.20.215.8 application/json >>>> 1512561142.180 13 192.168.1.112 TCP_MISS/200 419 GET >>>> https://www.facebook.com/tr/? - ORIGINAL_DST/179.60.193.35 image/gif >>>> 1512561142.410 243 192.168.1.112 TCP_MISS/200 286 GET >>>> https://bam.nr-data.net/1/ef1706da28? - ORIGINAL_DST/162.247.242.21 >>>> text/javascript >>>> >>>> >>>> IPTABLES CONFIGURATION >>>> ======================= >>>> # PREROUTING INTERCEPT PBR >>>> >>>> *nat >>>> :PREROUTING ACCEPT [0:0] >>>> :POSTROUTING ACCEPT [0:0] >>>> :OUTPUT ACCEPT [0:0] >>>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports >>>> 3128 >>>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 >>>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports >>>> 3129 >>>> COMMIT >>>> >>>> *filter >>>> :INPUT ACCEPT [0:0] >>>> :FORWARD ACCEPT [0:0] >>>> :OUTPUT ACCEPT [0:0] >>>> >>>> #WEB >>>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp >>>> --dport 80 -j ACCEPT >>>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp >>>> --dport 443 -j ACCEPT >>>> >>>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp >>>> --dport 3128 -j ACCEPT >>>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp >>>> --dport 3129 -j ACCEPT >>>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp >>>> --dport 3130 -j ACCEPT >>>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp >>>> --dport 3131 -j ACCEPT >>>> >>>> #default >>>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >>>> -A INPUT -p icmp -j ACCEPT >>>> -A INPUT -i lo -j ACCEPT >>>> -A INPUT -j REJECT --reject-with icmp-host-prohibited >>>> -A FORWARD -j REJECT --reject-with icmp-host-prohibited >>>> COMMIT >>>> >>>> >>>> SQUID CONFIGURATION >>>> ==================== >>>> >>>> #WHITE LIST >>>> acl exclWL url_regex "/etc/squid/white_url.squid" >>>> acl neoWL url_regex "/etc/squid/neowl.squid" >>>> http_access allow exclWL >>>> http_access allow neoWL >>>> cache deny exclWL >>>> cache deny neoWL >>>> always_direct allow exclWL >>>> always_direct allow neoWL >>>> >>>> #Malicious URLs >>>> acl dom url_regex "/etc/squid/dom.squid" >>>> acl cc url_regex "/etc/squid/cc.squid" >>>> http_access deny dom >>>> http_access deny cc >>>> >>>> #BLACK LIST >>>> acl exclBL url_regex "/etc/squid/black_url.squid" >>>> acl neoBL url_regex "/etc/squid/neobl.squid" >>>> http_access deny exclBL >>>> http_access deny neoBL >>>> >>>> #ACLS BASE >>>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network >>>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network >>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network >>>> acl localnet src fc00::/7 # RFC 4193 local private network range >>>> acl localnet src fe80::/10 # RFC 4291 link-local (directly >>>> plugged) machines >>>> acl SSL_ports port 443 >>>> acl SSL_ports port 3129 >>>> acl Safe_ports port 80 # http >>>> acl Safe_ports port 21 # ftp >>>> acl Safe_ports port 443 # https >>>> acl Safe_ports port 70 # gopher >>>> acl Safe_ports port 210 # wais >>>> acl Safe_ports port 1025-65535 # unregistered ports >>>> acl Safe_ports port 280 # http-mgmt >>>> acl Safe_ports port 488 # gss-http >>>> acl Safe_ports port 591 # filemaker >>>> acl Safe_ports port 777 # multiling http >>>> acl CONNECT method CONNECT >>>> acl HTTPS proto HTTPS >>>> >>>> include /etc/squid/acls_whitelist.conf >>>> acl useragent browser "/etc/squid/useragent.squid" >>>> range_offset_limit 0 !useragent >>>> minimum_object_size 0 bytes >>>> maximum_object_size 3 GB >>>> quick_abort_min -1 >>>> delay_pools 1 >>>> delay_class 1 1 >>>> delay_parameters 1 128000/128000 >>>> delay_access 1 deny SSL_ports >>>> delay_access 1 allow !useragent >>>> delay_access 1 deny all >>>> >>>> #cache conf >>>> max_filedescriptors 24576 >>>> memory_cache_mode disk >>>> cache_mem 0 MB >>>> cache allow all >>>> minimum_object_size 0 bytes >>>> maximum_object_size 20 MB >>>> sslproxy_flags DONT_VERIFY_PEER >>>> connect_timeout 8 seconds >>>> >>>> http_access deny !Safe_ports >>>> http_access deny CONNECT !SSL_ports >>>> http_access allow localhost manager >>>> http_access deny manager >>>> http_access allow localnet >>>> http_access allow localhost >>>> http_access deny all >>>> reply_header_access Alternate-Protocol deny all >>>> >>>> http_port 3130 >>>> http_port 3131 ssl-bump cert=/etc/squid/ssl_cert/SIC.pem >>>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB >>>> http_port 3128 intercept >>>> https_port 3129 intercept ssl-bump generate-host-certificates=on >>>> dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/SIC.pem >>>> >>>> cache_dir ufs /var/cache/squid 9000 16 256 >>>> cache_store_log /var/log/squid/store.log >>>> cache_effective_user squid >>>> visible_hostname Proxy >>>> >>>> refresh_pattern ^ftp: 1440 20% 10080 >>>> refresh_pattern ^gopher: 1440 0% 1440 >>>> refresh_pattern -i (/cgi-bin/|\?) 2 20% 10 >>>> refresh_pattern . 2 20% 10 ignore-reload >>>> override-expire ignore-no-cache ignore-no-store store-stale >>>> ignore-private ignore-must-revalidate ignore-auth >>>> refresh_pattern -i >>>> \.(dmg|msi|deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf)$ 1 >>>> 20% 4 override-expire ignore-no-cache ignore-no-store ignore-private >>>> reload-into-ims >>>> >>>> >>>> #SSL BUMP >>>> include /etc/squid/ssl.conf >>>> >>>> #LOGGING >>>> access_log /var/log/squid/access.log >>>> access_log /var/log/squid/access_c2.log cc >>>> access_log /var/log/squid/access_c2.log dom >>>> access_log /var/log/squid/splc.log excludeSSL >>>> cache_log /dev/null >>>> coredump_dir /var/cache/squid >>>> >>>> #ICAP >>>> icap_enable on >>>> icap_send_client_ip on >>>> icap_send_client_username on >>>> icap_client_username_header X-Authenticated-User >>>> icap_service service_req reqmod_precache bypass=1 >>>> icap://127.0.0.1:1344/squidclamav >>>> adaptation_access service_req allow useragent >>>> icap_service service_resp respmod_precache bypass=1 >>>> icap://127.0.0.1:1344/squidclamav >>>> adaptation_access service_resp allow useragent >>>> >>>> #X FORWARDED FOR >>>> forwarded_for on >>>> >>>> SSL.conf >>>> ======= >>>> >>>> sslproxy_foreign_intermediate_certs /etc/squid/intermediate_ca.pem >>>> sslproxy_cafile /etc/squid/intermediate_ca.pem >>>> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 16MB >>>> sslcrtd_children 16 startup=5 idle=1 >>>> >>>> acl FakeCert ssl::server_name .apple.com >>>> acl FakeCert ssl::server_name .icloud.com >>>> acl FakeCert ssl::server_name .mzstatic.com >>>> acl FakeCert ssl::server_name .dropbox.com >>>> acl ssl_step1 at_step SslBump1 >>>> acl ssl_step2 at_step SslBump2 >>>> acl ssl_step3 at_step SslBump3 >>>> >>>> ssl_bump peek ssl_step1 >>>> ssl_bump splice GlobalWhitelistDSTNet >>>> ssl_bump splice GlobalWhitelistDomainsRx >>>> ssl_bump splice GlobalWhitelistDomains >>>> ssl_bump splice FakeCert >>>> ssl_bump bump ssl_step2 all >>>> ssl_bump splice all >>>> sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression >>>> sslproxy_cipher >>>> >>>> ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL >>>> sslproxy_flags DONT_VERIFY_PEER >>>> sslproxy_cert_error allow all >>>> sslproxy_cert_error deny all >>>> >>>> acls_whitelist.conf >>>> ============= >>>> >>>> acl WindowsUpdates dstdomain officecdn.microsoft.com >>>> acl WindowsUpdates dstdomain windowsupdate.microsoft.com >>>> acl WindowsUpdates dstdomain ntservicepack.microsoft.com >>>> acl WindowsUpdates dstdomain download.microsoft.com >>>> acl WindowsUpdates dstdomain .windowsupdate.com >>>> acl WindowsUpdates dstdomain .windowsupdate.net >>>> acl WindowsUpdates dstdomain .update.microsoft.com >>>> acl WindowsUpdates dstdomain .mp.microsoft.com >>>> acl WindowsUpdates dstdomain .ws.microsoft.com >>>> acl GlobalWhitelistDomains dstdomain >>>> "/etc/squid/acls_whitelist.dstdomain.conf" >>>> acl GlobalWhitelistDSTNet dst "/etc/squid/acls_whitelist.dst.conf" >>>> acl GlobalWhitelistDomainsRx dstdom_regex -i >>>> "/etc/squid/acls_whitelist.dstdom_regex.conf" >>>> acl GlobalWhitelistBrowsers browser -i >>>> "/etc/squid/acls_whitelist.browser.conf" >>>> http_access allow GlobalWhitelistDomains >>>> url_rewrite_access deny GlobalWhitelistDomains >>>> http_access allow GlobalWhitelistDSTNet >>>> url_rewrite_access deny GlobalWhitelistDSTNet >>>> http_access allow GlobalWhitelistDomainsRx >>>> url_rewrite_access deny GlobalWhitelistDomainsRx >>>> http_access allow GlobalWhitelistBrowsers >>>> >>>> >>>> Any one with the same TAG_NONE/503 error, please help!? >>>> >>>> Regards, >>>> Hugo >>>> ________________________________ >>>> >>>> squid-users mailing list >>>> squid-users@xxxxxxxxxxxxxxxxxxxxx >>>> http://lists.squid-cache.org/listinfo/squid-users >>> >>> >>> -- >>> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet. >> >> >> > -- Saludos, Hugo Saavedra _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
