Re: [squid-users] Re: SSLBump, help to configure for 3.1.0.16 from Andres Salazar on 2010-02-22 (squid-users)

From: Andres Salazar <ndrsslzr80_at_gmail.com>
Date: Mon, 22 Feb 2010 16:32:24 -0600

Thank you guys.

Iam now bumping the SSL CONNECT requests.

The only problem is that iam getting various errors like this on the cache.log.

2010/02/22 17:27:40| clientNegotiateSSL: Error negotiating SSL
connection on FD 8: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca (1/0)
2010/02/22 17:27:40| clientNegotiateSSL: Error negotiating SSL
connection on FD 8: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca (1/0)

What is the best way so that squid recognizes this as a known CA?

Thanks

Andres

On Mon, Feb 22, 2010 at 3:59 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On Mon, 22 Feb 2010 15:48:57 -0600, Andres Salazar <ndrsslzr80_at_gmail.com>
> wrote:
>> Just confirming. You are telling me that I cannot configure a browser
>> with a proxy while at the same time squid is configured to SSLBump the
>> https requests?
>>
>> Please confirm.. without proper docs this can get confusing. Thanks.
>>
>> Andres
>
> Yes AND no.
>
> *https_port* (note the 's') cannot be bumped and configured.
>
> *http_port* (note the lack of 's') MUST be configured to be bumped.
>
>
> Amos
>
>>
>> On Thu, Feb 18, 2010 at 2:38 AM, Henrik Nordstrom
>> <henrik_at_henriknordstrom.net> wrote:
>>> ons 2010-02-17 klockan 22:40 -0700 skrev Alex Rousskov:
>>>> On 02/16/2010 12:54 PM, Andres Salazar wrote:
>>>> > Hello,
>>>> >
>>>> > Iam still having issues with SSLBump .. apparently iam now getting
>>>> > this error when I visit an https site with my browser explicity
>>>> > configured to use the https_port .
>>>> >
>>>> > 2010/02/16 14:31:14| clientNegotiateSSL: Error negotiating SSL
>>>> > connection on FD 8: error:1407609B:SSL
>>>> > routines:SSL23_GET_CLIENT_HELLO:https proxy request (1/-1)
>>>
>>> This error is seen if a browser is configured to use a Squid https_port
>>> as HTTP proxy port for secure (SSL/TLS) connections. To be exact it's
>>> from the OpenSSL library where the library barfs at receiving an HTTP
>>> CONNECT request where an SSL/TLS handshake was expected.
>>>
>>> For explicit proxy configuration the browser must be configured to use
> a
>>> Squid http_port.
>>>
>>> Regards
>>> Henrik
>>>
>>>
>
Received on Mon Feb 22 2010 - 22:32:38 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 23 2010 - 12:00:06 MST