Search squid archive

Re: FW: Encrypted browser-Squid connection errors

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 10/14/22 10:32, LEMRAZZEQ, Wadie wrote:

I tried to implement this on a dockerized Alpine, and a squid 5.5 with openssl module
FWIW, Squid v5.5 is unusable in many environments -- too many bugs. Use v5.7 or later. I do not know whether one of those bugs are responsible for the specific problem you are discussing though. 



in squid.conf, I have:

...

http_port 3128

https_port 3129 cert=/etc/squid/crt.pem key=/etc/squid/key.pem


OK.
but when I request squid https port, I got this error every time, in cache.log: 

_How_ do you "request squid https port"?
ERROR: failure while accepting a TLS connection on conn77 local=172.17.0.2:3129 remote=172.17.0.1:56608 FD 12 flags=1: 
connection: conn77 local=172.17.0.2:3129 remote=172.17.0.1:56608 FD 12 flags=1
Error.cc(22) update: recent: ERR_SECURE_ACCEPT_FAIL/SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=1408F09B+TLS_IO_ERR=1 

According to "openssl errstr", that OpenSSL error is:

    error:1408F09B:SSL routines:ssl3_get_record:https proxy request
Most likely, the client is sending a plain text CONNECT request before encrypting the TLS connection to the HTTPS proxy. In other words, the client thinks it is talking to an HTTP proxy while you want it to think that it is talking to an HTTPS proxy. For example, 

* HTTP proxy:  curl -x http://172.17.0.2:3128/ ... https://example.com
* HTTPS proxy: curl -x https://172.17.0.2:3129/ ... https://example.com


HTH,

Alex.





...
I also tried this with squid 4.10 with gnutls module, in an Ubuntu 20.40 environment, with the same squid.conf, and I got again a TLS error 

...
client_side.cc(2597) tlsAttemptHandshake: Error negotiating TLS on local=x.x.x.x:3129 remote=x.x.x.x:50874 FD 11 flags=1: Aborted by client: An unexpected TLS packet was received. 

...
I used for certificates, a self signed one, and a generated certificate signed by our CA, for both scenarios
Also, I tried multiple https_port options (disable some SSL implementation, manipulation of client certificates...) but without success 

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux