Search squid archive

Re: SSL TAG_NONE/503 errors

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery


07.12.2017 5:40, Hugo Saavedra пишет:
> ooops!, we have another problem here, anyone knows what is this?
>
> 2017/12/06 19:30:23 kid1| SECURITY ALERT: on URL: login.live.com:443
> 2017/12/06 19:30:23 kid1| SECURITY ALERT: Host header forgery detected
> on local=131.253.61.100:443 remote=192.168.10.2:59041 FD 126 flags=33
> (local IP does not match any domain IP)
> 2017/12/06 19:30:23 kid1| SECURITY ALERT: on URL: login.live.com:443
> 2017/12/06 19:30:37 kid1| SECURITY ALERT: Host header forgery detected
> on local=131.253.61.100:443 remote=192.168.10.2:59042 FD 106 flags=33
> (local IP does not match any domain IP)
> 2017/12/06 19:30:37 kid1| SECURITY ALERT: on URL: login.live.com:443
> 2017/12/06 19:30:37 kid1| SECURITY ALERT: Host header forgery detected
> on local=131.253.61.100:443 remote=192.168.10.2:59043 FD 107 flags=33
> (local IP does not match any domain IP)
> 2017/12/06 19:30:37 kid1| SECURITY ALERT: on URL: login.live.com:443
>
> Thanks
>
> 2017-12-06 16:56 GMT-03:00 Hugo Saavedra <hugo.saavedra.oteiza@xxxxxxxxx>:
>> solution finded: we commented the sslproxy_cipher line and it works!
>> is there any security issues if we left the default options for this variable?
>>
>> thanks
>> Hugo
>>
>> 2017-12-06 16:21 GMT-03:00 Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx>:
>>> On 12/06/2017 12:06 PM, Hugo Saavedra wrote:
>>>> 2017/12/06 16:02:37 kid1| Error negotiating SSL connection on FD 61:
>>>> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
>>>> (1/0)
>>> You may be able to fix this problem by updating your collection of
>>> public CA certificates. Squid uses CA certificates to validate
>>> certificates presented by origin servers. You may be able to confirm
>>> that your collection is stale and know more (e.g., which CA certificate
>>> is unknown) if you can map the above error to an access.log entry that
>>> would give you the origin server name to interrogate.
>>>
>>> Similar reasoning applies to other SSL-related cache.log errors as well,
>>> but troubleshooting them may require more efforts (e.g., starting with a
>>> higher debugging levels and/or packet captures).
>>>
>>> Alex.
>>
>>
>> --
>> Saludos,
>> Hugo Saavedra
>
>

-- 
"Some people, when confronted with a problem, think «I know, I'll use regular expressions.» Now they have two problems."
--Jamie Zawinsk

**************************
* C++: Bug to the future *
**************************


Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux