Re: [squid-users] 3.1.15 squid report ERR_SECURE_CONNECT_FAIL on peer with self-signed cert

From: 叶雨飞 <sunyucong_at_gmail.com>
Date: Fri, 2 Mar 2012 17:14:14 -0800

On Fri, Mar 2, 2012 at 5:03 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 3/03/2012 7:57 a.m., Yucong Sun (叶雨飞) wrote:
>>
>> Hi,
>>
>> I've been trying to use a SSL connection to an parent squid proxy, and
>> the child squid always fails even I specifically asked it to stop
>> verifying stuff
>
>
> The child verifying the parent? or the parent verifying the child?
> SSL is designed not to allow problems to go unseen, so validation happens at
> both ends. You can only control what Squid (child) verifies from squid.conf.

It looks like the child is verifying parent, because server side is a
stunnel and we have other client talking to it without issue.

>
>
>>
>> here's the relevant config on child
>>
>> sslproxy_cert_error allow all
>
> This makes Squid completely ignore all server errors when negotiating TLS.
> You should not need it unless the server certificate is malformed.
>
>> sslproxy_flags DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN
>
>
> These are for controlling the DIRECT access TLS connections.

Year, these should not be needed, but I am so desperate so I included them here.

>
>
>> cache_peer x.x.x.x parent 8443 0 no-digest no-query default ssl
>> sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN,NO_DEFAULT_CA
>> sslcert=ssl.pem sslkey=ssl.key
>
>
> This is what is affecting the peer.
>
> If we assume your ssl.pem and ssl.key are valid, it could still be the peer
> rejecting them.

It doesn't work without the cert/key either.

>
>
>>
>> and this appears in the cache.log
>>
>> 2012/03/03 02:50:51| fwdNegotiateSSL: Error negotiating SSL connection
>> on FD 11: error:00000000:lib(0):func(0):reason(0) (5/-1/104)
>>
>> I've verified the parent side works fine, in fact, the server side has
>> been implemented using stunnel and it works fine if I setup stunnel in
>> local and tunnel squid through it.
>
>
> Same ssl.pem/ssl.key certificates used by that test stunnel and this Squid?

yes, the server are not verifying the client cert/key either.

>
> Second question is whether you need ssl.pem/ssl.key at all?
>  SSL auto-generates random client certificates as needed if you only specify
> "ssl" option to cache_peer.
>  It is common to only specify cache_peer options "ssl
> sslflags=DONT_VERIFY_PEER "  to have an auto-generated client certificate,
> and ignore self-signed certificates from the peer.

that's what I originally thought , but it actually don't parse if I
don't have those two there.

So look like something is missing in the ssl part that cause it still
tries to verify the server cert, I switched the parent to a valid cert
and it all starts to work, how can I trace this ?

Cheers.

>
> Amos
Received on Sat Mar 03 2012 - 01:14:44 MST

This archive was generated by hypermail 2.2.0 : Sat Mar 03 2012 - 12:00:02 MST