Hello List,
I've finally got a squid3 (squid3.4-4, compiled from sources on Debian) with SSL interception solution working quite decently.
Now, trying to make it to work better I found some entries in the cache.log file, like these:
2014/07/28 16:07:15 kid1| fwdNegotiateSSL: Error negotiating SSL connection on FD 683: error:14092105:SSL routines:SSL3_GET_SERVER_HELLO:wrong cipher returned (1/-1/0)
2014/07/28 16:07:15 kid1| fwdNegotiateSSL: Error negotiating SSL connection on FD 160: error:14092105:SSL routines:SSL3_GET_SERVER_HELLO:wrong cipher returned (1/-1/0)
2014/07/28 16:07:37 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 117: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)
2014/07/28 16:07:40 kid1| UPGRADE WARNING: URL rewriter reponded with garbage ' 10.10.25.74/- - GET'. Future Squid will treat this as part of the URL.
2014/07/28 16:07:52 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 922: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)
2014/07/28 16:08:55 kid1| UPGRADE WARNING: URL rewriter reponded with garbage ' 10.10.25.75/- - GET'. Future Squid will treat this as part of the URL.
I've been looking for solutions to this with no luck.
So, these are my questions:
1) is it possible to check or view a FD content in order to troubleshoot this?
2) could you please share some light to solve this?
3) how do I apply a patch to upgrade my actual squid solution?
Thank you!
Ikna
The SSL part of squid.conf:
http_port 3129
http_port 3128 intercept
https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=512MB cert=/etc/squid3/certs/ssl/public2.pem key=/etc/squid3/certs/ssl/private.pem options=NO_SSLv2,NO_SSLv3 capath=/etc/ssl/certs
acl SSL_whitelist dstdomain "/etc/squid3/acl/ssl_whitelist.acl"
acl SSL_whitelist_ip dst "/etc/squid3/acl/ssl_whitelist_ip.acl"
ssl_bump none localhost
ssl_bump none SSL_whitelist
ssl_bump none SSL_whitelist_ip
ssl_bump server-first all
sslproxy_capath /etc/ssl/certs
sslproxy_options NO_SSLv2,NO_SSLv3
sslproxy_cert_error allow all
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /usr/lib/ssl_db -M 200MB
sslcrtd_children 40
Received on Mon Jul 28 2014 - 20:21:42 MDT
This archive was generated by hypermail 2.2.0 : Tue Jul 29 2014 - 12:00:05 MDT