On 27/11/19 11:56 am, robert k Wild wrote: > Hi Alex, > > i have done some more troubleshooting and my external proxy is good, i > get no errors and i have got one of my DMZ hosts connected to it and i > can browse the web, but my internal proxy cant contact my external > proxy, this is the error when i run it - > > 2019/11/26 22:53:28| Error parsing SSL Server Hello Message on FD 15 > 2019/11/26 22:53:28| ERROR: negotiating TLS on FD 15: error:140770FC:SSL > routines:SSL23_GET_SERVER_HELLO: unknown protocol (1/-1/0) > 2019/11/26 22:53:28| TCP connection to 172.16.55.21/3128 > <http://172.16.55.21/3128> failed > 2019/11/26 22:53:28| Detected DEAD Parent: 172.16.55.21 > 2019/11/26 22:53:28| Error negotiating SSL connection on FD 13: > error:00000001:lib(0):func(0):reason(1) ( 1/0) > > this is my config on my internal proxy - > > # > # Recommended minimum configuration: > # > > #SSL > http_port 3128 ssl-bump \ > cert=/etc/squid/ssl_cert/myCA.pem \ > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s > /var/lib/ssl_db -M 4MB > acl step1 at_step SslBump1 > ssl_bump peek step1 > ssl_bump bump all > ... > #squid proxy in DMZ on internet > cache_peer 172.16.55.21 parent 3128 0 default ... > never_direct allow all > So, all traffic MUST use the cache_peer which cannot handle TLS input. You need to either configure TLS/SSL in the peer and set the cache_peer line appropriately for that so this proxy can re-encrypt traffic going there, OR, upgrade to Squid-5 which has the ability to re-encrypt and send to a regular peer proxy. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
