[squid-users] squidguard ssl redirect

From: martin perner <martin.perner_at_googlemail.com>
Date: Wed, 03 Sep 2008 17:58:55 +0200

Hi,

I'm running a squid 2.7.STABLE3 on a SLES10 as a normal proxy.

For content-filtering we are using squidguard which redirects a user to
a special page if he hits a blocked page.

If the redirect goes to a http page everthing works as expeced.

But if the redirect goes to a https page, the user gets a errorpage
saying that the connection failed and the system returned '(71) Protocol
error'. In the cache.log a error is printed (attached).

A deny_info to the https page works without any problem.

When i'm adding 'sslproxy_flags DONT_VERIFY_PEER' to the squid.conf the
error disappears.

The question is now: is the sslproxy_flags method opening any holes in
the setup or is there an other way for solving this problem?

Thanks in advance

part of the cache.log (cut the detail about the certificate):

2008/09/03 17:50:05| SSL unknown certificate error 20 in (cert)
2008/09/03 17:50:05| fwdNegotiateSSL: Error negotiating SSL connection
on FD 48: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
2008/09/03 17:50:05| SSL unknown certificate error 20 in (cert)
2008/09/03 17:50:05| fwdNegotiateSSL: Error negotiating SSL connection
on FD 48: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
2008/09/03 17:50:05| SSL unknown certificate error 20 in (cert)
2008/09/03 17:50:05| fwdNegotiateSSL: Error negotiating SSL connection
on FD 48: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
Received on Wed Sep 03 2008 - 15:59:05 MDT

This archive was generated by hypermail 2.2.0 : Thu Sep 04 2008 - 12:00:02 MDT