[squid-users] SSL issues

Ikna Nou Mon, 28 Jul 2014 13:22:04 -0700

Hello List, 
I've finally got a squid3 (squid3.4-4, compiled from sources on Debian) with 
SSL interception solution working quite decently.


Now, trying to make it to work better I found some entries in the cache.log 
file, like these:

2014/07/28 16:07:15 kid1| fwdNegotiateSSL: Error negotiating SSL connection on 
FD 683: error:14092105:SSL routines:SSL3_GET_SERVER_HELLO:wrong cipher returned 
(1/-1/0) 

2014/07/28 16:07:15 kid1| fwdNegotiateSSL: Error negotiating SSL connection on 
FD 160: error:14092105:SSL routines:SSL3_GET_SERVER_HELLO:wrong cipher returned 
(1/-1/0) 

2014/07/28 16:07:37 kid1| clientNegotiateSSL: Error negotiating SSL connection 
on FD 117: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca 
(1/0) 

2014/07/28 16:07:40 kid1| UPGRADE WARNING: URL rewriter reponded with garbage ' 
10.10.25.74/- - GET'. Future Squid will treat this as part of the URL. 

2014/07/28 16:07:52 kid1| clientNegotiateSSL: Error negotiating SSL connection 
on FD 922: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca 
(1/0) 

2014/07/28 16:08:55 kid1| UPGRADE WARNING: URL rewriter reponded with garbage ' 
10.10.25.75/- - GET'. Future Squid will treat this as part of the URL. 


I've been looking for solutions to this with no luck.

So, these are my questions:
1) is it possible to check or view a FD content in order to troubleshoot this?
2) could you please share some light to solve this?
3) how do I apply a patch to upgrade my actual squid solution?

Thank you!
Ikna


The SSL part of squid.conf:

http_port 3129
http_port 3128 intercept
https_port 3127 intercept ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=512MB cert=/etc/squid3/certs/ssl/public2.pem 
key=/etc/squid3/certs/ssl/private.pem options=NO_SSLv2,NO_SSLv3 
capath=/etc/ssl/certs

acl SSL_whitelist dstdomain "/etc/squid3/acl/ssl_whitelist.acl"
acl SSL_whitelist_ip dst "/etc/squid3/acl/ssl_whitelist_ip.acl"

ssl_bump none localhost
ssl_bump none SSL_whitelist
ssl_bump none SSL_whitelist_ip

ssl_bump server-first all
sslproxy_capath /etc/ssl/certs
sslproxy_options NO_SSLv2,NO_SSLv3
sslproxy_cert_error allow all

sslcrtd_program /usr/lib/squid3/ssl_crtd -s /usr/lib/ssl_db -M 200MB
sslcrtd_children 40

[squid-users] SSL issues

Reply via email to