Re: [squid-users] SSL errors with Squid 3.5.27 [SOLVED]

2018-07-02 Thread Julian Perconti
Hi all, Problem solved. With squid 4 openssl 1.1 I realized that WhatsApp use the following ports: 5223, 5228, 4244, 5242, and 5222 in addition to 443, 80. So I opened that ports on the firewall and everythhing worked. Also I changed the cipher suite in squid.conf like this: (for the dropbox

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-28 Thread Julian Perconti
Hi all: Finally I migrate everything to debian 9 with openssl 1.1 and squid 4 (june 22/18) reléase (the last one). Everything seems to go very well. However, the dropbox client logs this error in cache.log: kid1| ERROR: negotiating TLS on FD 35: error:141710F8:SSL routines:tls_process_server_

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-18 Thread Julian Perconti
Googling i foind this cfg lines: acl SSLERR ssl_error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN sslproxy_cert_error allow SSLERR sslproxy_cert_error deny all The error " certificate verify failed has deissappeared, I refer to this error: routines:CONNECT_CR_

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-18 Thread Matus UHLAR - fantomas
have you tried -servername option for setting SNI extension? On 18.06.18 08:31, Julian Perconti wrote: How can i do this? man s_client:\ -servername name Set the TLS SNI (Server Name Indication) extension in the ClientHello message. -- Matus UHLAR - fantomas, uh

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-18 Thread Julian Perconti
> have you tried -servername option for setting SNI extension? How can i do this? Well, debbuging cache.log i found this: 2018/06/18 08:22:08.822 kid1| 83,5| support.cc(300) ssl_verify_cb: Self signed certificate in certificate chain: /CN=courier.push.apple.com/O=Apple Inc./ST=California/C=U

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-14 Thread Matus UHLAR - fantomas
On 13.06.18 18:20, Julian Perconti wrote: Does not shows any cert and establishes a connection with TLS 1.2... openssl s_client -connect 31.13.94.54:443 CONNECTED(0003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 by

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-14 Thread Amos Jeffries
On 14/06/18 09:20, Julian Perconti wrote: > > # > Here a example: > # > > openssl s_client -connect 31.13.94.54:443 > CONNECTED(0003) > write:errno=104 > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 0 bytes and written

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-13 Thread Amos Jeffries
On 13/06/18 07:54, Julian Perconti wrote: >> Interesting. >> >> The main issue was that you configured only params for the Diffi-Helman (DH >> and DHE) ciphers - no >curve name. That meant your specified EEC* ciphers >> were disabled since they require a curve name as >well. >> >> Removing this o

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-13 Thread L . P . H . van Belle
ag 12 juni 2018 21:55 > Aan: squid-users@lists.squid-cache.org > Onderwerp: Re: [squid-users] SSL errors with Squid 3.5.27 > > >Interesting. > > > >The main issue was that you configured only params for the > Diffi-Helman (DH and DHE) ciphers - no >curve name

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-12 Thread Julian Perconti
>Interesting. > >The main issue was that you configured only params for the Diffi-Helman (DH >and DHE) ciphers - no >curve name. That meant your specified EEC* ciphers were >disabled since they require a curve name as >well. > >Removing this option completely disables both DH and ECDH cipher type

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-10 Thread Amos Jeffries
On 10/06/18 20:42, Walter H. wrote: > On 10.06.2018 08:49, Amos Jeffries wrote: >> >> Interesting. >> >> The main issue was that you configured only params for the Diffi-Helman >> (DH and DHE) ciphers - no curve name. That meant your specified EEC* >> ciphers were disabled since they require a curv

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-10 Thread Walter H.
On 10.06.2018 08:49, Amos Jeffries wrote: Interesting. The main issue was that you configured only params for the Diffi-Helman (DH and DHE) ciphers - no curve name. That meant your specified EEC* ciphers were disabled since they require a curve name as well. Removing this option completely dis

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-09 Thread Amos Jeffries
On 10/06/18 03:46, Julian Perconti wrote: >>> https_port 3130 intercept ssl-bump \ >>> cert=/etc/squid/ssl_cert/squidCA.pem \ >>> key=/etc/squid/ssl_cert/squidCA.pem \ >>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB >>> tls-dh=/etc/squid/ssl_cert/dhparam.pem >> >> These DH

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-09 Thread Julian Perconti
>> https_port 3130 intercept ssl-bump \ >> cert=/etc/squid/ssl_cert/squidCA.pem \ >> key=/etc/squid/ssl_cert/squidCA.pem \ >> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB >> tls-dh=/etc/squid/ssl_cert/dhparam.pem > >These DH parameters are for old DH not for ECDHE (missing c

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-08 Thread Amos Jeffries
On 09/06/18 11:15, Julian Perconti wrote: > Hello community, I am new to the list and, I hope everyone is well. > > I have running a squid server on debian 7. > > My squid version is 3.5.27 manually compiled with LibreSSL 2.6.0 due to > problems with Dropbox. After compiling squid with LibreSSL,

[squid-users] SSL errors with Squid 3.5.27

2018-06-08 Thread Julian Perconti
Hello community, I am new to the list and, I hope everyone is well. I have running a squid server on debian 7. My squid version is 3.5.27 manually compiled with LibreSSL 2.6.0 due to problems with Dropbox. After compiling squid with LibreSSL, the error "unknown cipher returned" has disappeared an