Re: SSL3_GET_SERVER_CERTIFICATE failed

Yuri <yvoinov@xxxxxxxxx> · Mon, 11 Dec 2017 17:59:22 +0600



    In practice POST url always better to get splice. This prevents
      much errors.

    
    SSL3_GET_SERVER_CERTIFICATE itself means that some client
      application trying to establish secure connection uses old SSLv3
      protocol. This applications also better to splice, if not possible
      to upgrade applications (often it is not possible).

    
    11.12.2017 7:06, G~D~Lunatic пишет:

    
             my squid is a transparent
              proxy. 

              when i use WeChat client upload file or picture, it
              failed.

              the access.log shows that

              1512953345.798     75 192.168.51.15 TAG_NONE/200 0 CONNECT
              111.206.23.97:443 - ORIGINAL_DST/111.206.23.97 -

              1512953345.805      0 192.168.51.15 TAG_NONE/503 4380 POST
              https://msg.71.am/v5/ypt/hcdn_multicurl - HIER_NONE/-
              text/html

              1512953349.713     10 192.168.51.15 TAG_NONE/200 0 CONNECT
              101.226.152.108:443 - HIER_NONE/- -

              1512953350.931     10 192.168.51.15 TAG_NONE/200 0 CONNECT
              123.151.76.49:443 - HIER_NONE/- -

              1512953354.059     11 192.168.51.15 TAG_NONE/200 0 CONNECT
              123.151.76.49:443 - HIER_NONE/- -

              
              i used wireshark catch the package, Encrypted Alert was
              shown.

              i want to know where the problem or how i can do.

              Here is my configure

              
              https_port 192.168.51.200:3129 intercept ssl-bump
              connection-auth=off generate-host-certificates=on
              dynamic_cert_mem_cache_size=4MB
              cert=/usr/local/squid/ssl_cert/myCA.pem
              key=/usr/local/squid/ssl_cert/myCA.pem
              options=NO_SSLv3,NO_SSLv2

              
              acl broken_sites ssl::server_name matchweb.sports.qq.com

              acl ssl_step1 at_step SslBump1

              acl ssl_step2 at_step SslBump2

              acl ssl_step3 at_step SslBump3

              ssl_bump splice broken_sites

              #ssl_bump splice all

              ssl_bump stare ssl_step1

              ssl_bump bump ssl_step2

              ssl_bump terminate ssl_step3

              
      _______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

    
    -- 
"Some people, when confronted with a problem, think «I know, I'll use regular expressions.» Now they have two problems."
--Jamie Zawinsk

**************************
* C++: Bug to the future *
**************************
  

Attachment:
signature.asc

Description: OpenPGP digital signature
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users