[squid-users] SSL issues

From: Ikna Nou <iknano_at_outlook.com>
Date: Mon, 28 Jul 2014 16:21:35 -0400

Hello List,  I've finally got a squid3 (squid3.4-4, compiled from sources on Debian) with SSL interception solution working quite decently. Now, trying to make it to work better I found some entries in the cache.log file, like these: 2014/07/28 16:07:15 kid1| fwdNegotiateSSL: Error negotiating SSL connection on FD 683: error:14092105:SSL routines:SSL3_GET_SERVER_HELLO:wrong cipher returned (1/-1/0)  2014/07/28 16:07:15 kid1| fwdNegotiateSSL: Error negotiating SSL connection on FD 160: error:14092105:SSL routines:SSL3_GET_SERVER_HELLO:wrong cipher returned (1/-1/0)  2014/07/28 16:07:37 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 117: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)  2014/07/28 16:07:40 kid1| UPGRADE WARNING: URL rewriter reponded with garbage ' 10.10.25.74/- - GET'. Future Squid will treat this as part of the URL.  2014/07/28 16:07:52 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 922: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)  2014/07/28 16:08:55 kid1| UPGRADE WARNING: URL rewriter reponded with garbage ' 10.10.25.75/- - GET'. Future Squid will treat this as part of the URL.  I've been looking for solutions to this with no luck. So, these are my questions: 1) is it possible to check or view a FD content in order to troubleshoot this? 2) could you please share some light to solve this? 3) how do I apply a patch to upgrade my actual squid solution? Thank you! Ikna The SSL part of squid.conf: http_port 3129 http_port 3128 intercept https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=512MB cert=/etc/squid3/certs/ssl/public2.pem key=/etc/squid3/certs/ssl/private.pem options=NO_SSLv2,NO_SSLv3 capath=/etc/ssl/certs acl SSL_whitelist dstdomain "/etc/squid3/acl/ssl_whitelist.acl" acl SSL_whitelist_ip dst "/etc/squid3/acl/ssl_whitelist_ip.acl" ssl_bump none localhost ssl_bump none SSL_whitelist ssl_bump none SSL_whitelist_ip ssl_bump server-first all sslproxy_capath /etc/ssl/certs sslproxy_options NO_SSLv2,NO_SSLv3 sslproxy_cert_error allow all sslcrtd_program /usr/lib/squid3/ssl_crtd -s /usr/lib/ssl_db -M 200MB sslcrtd_children 40
Received on Mon Jul 28 2014 - 20:21:42 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 29 2014 - 12:00:05 MDT