Discussion:
[squid-users] Squid Version 3.5.20 Any Ideas
Cherukuri, Naresh
2017-07-19 15:34:18 UTC
Permalink
Hi All,

I installed Squid version 3.5.20 on RHEL 7 and generated self-signed CA certificates, My users are complaining about certificate errors. When I looked at cache.log I see so many error messages like below. Below is my squid.conf file. Any ideas how to address below errors.

Squid.conf:

max_filedesc 4096
visible_hostname pctysqd2prod
logfile_rotate 10

access_log stdio:/var/log/squid/access.log squid

acl localnet src 172.16.0.0/16
acl backoffice_users src 10.136.0.0/13
acl hcity_backoffice_users src 10.142.0.0/15
acl register_users src 10.128.0.0/13
acl hcity_register_users src 10.134.0.0/15
acl partycity url_regex partycity

acl SSL_ports port 443
acl Safe_ports port 80 # http
#acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
#acl Safe_ports port 70 # gopher
#acl Safe_ports port 210 # wais
#acl Safe_ports port 1025-65535 # unregistered ports
#acl Safe_ports port 280 # http-mgmt
#acl Safe_ports port 488 # gss-http
#acl Safe_ports port 591 # filemaker
#acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#acl allowed_sites {dst|dstdomain|dstdom_regex|url_regex) "/path/to/file"
acl backoffice_allowed_sites url_regex "/etc/squid/backoffice_allowed_sites"
acl hcity_backoffice_allowed_sites url_regex "/etc/squid/backoffice_allowed_sites"
acl backoffice_blocked_sites url_regex "/etc/squid/backoffice_blocklist"
acl hcity_backoffice_blocked_sites url_regex "/etc/squid/backoffice_blocklist"
acl register_allowed_sites url_regex "/etc/squid/register_allowed_sites"
acl hcity_register_allowed_sites url_regex "/etc/squid/hcity_register_allowed_sites"

http_access allow localnet register_allowed_sites
http_access deny backoffice_users backoffice_blocked_sites
http_access deny hcity_backoffice_users backoffice_blocked_sites
http_access allow backoffice_users backoffice_allowed_sites
http_access allow hcity_backoffice_users backoffice_allowed_sites
http_access allow register_users register_allowed_sites
http_access allow hcity_register_users hcity_register_allowed_sites
no_cache deny partycity
http_access deny all

#http_access allow manager localhost
#http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
#http_access deny CONNECT !SSL_ports
http_access allow CONNECT SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost


# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128 ssl-bump \
key=/etc/squid/pctysquid2sslcerts/pctysquid2prod.pkey \
cert=/etc/squid/pctysquid2sslcerts/pctysquid2prod.crt \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

sslproxy_cert_error allow all
always_direct allow all
sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /cache/squid 10000 16 256

# Leave coredumps in the first cache dir
#rdescoredump_dir /var/spool/squid
coredump_dir /var/log/squid/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

#url_rewrite_access allow all
#url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf

Cache.log

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 689: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)
2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 1114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)
2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD 146: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)
2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 252: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)
2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 36: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)
Yuri
2017-07-19 15:36:24 UTC
Permalink
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

Loading Image...
Post by Cherukuri, Naresh
Hi All,
I installed Squid version 3.5.20 on RHEL 7 and generated self-signed
CA certificates, My users are complaining about certificate errors.
When I looked at cache.log I see so many error messages like below.
Below is my squid.conf file. Any ideas how to address below errors.
max_filedesc 4096
visible_hostname pctysqd2prod
logfile_rotate 10
access_log stdio:/var/log/squid/access.log squid
acl localnet src 172.16.0.0/16
acl backoffice_users src 10.136.0.0/13
acl hcity_backoffice_users src 10.142.0.0/15
acl register_users src 10.128.0.0/13
acl hcity_register_users src 10.134.0.0/15
acl partycity url_regex partycity
acl SSL_ports port 443
acl Safe_ports port 80 # http
#acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
#acl Safe_ports port 70 # gopher
#acl Safe_ports port 210 # wais
#acl Safe_ports port 1025-65535 # unregistered ports
#acl Safe_ports port 280 # http-mgmt
#acl Safe_ports port 488 # gss-http
#acl Safe_ports port 591 # filemaker
#acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#acl allowed_sites {dst|dstdomain|dstdom_regex|url_regex) "/path/to/file"
acl backoffice_allowed_sites url_regex
"/etc/squid/backoffice_allowed_sites"
acl hcity_backoffice_allowed_sites url_regex
"/etc/squid/backoffice_allowed_sites"
acl backoffice_blocked_sites url_regex "/etc/squid/backoffice_blocklist"
acl hcity_backoffice_blocked_sites url_regex
"/etc/squid/backoffice_blocklist"
acl register_allowed_sites url_regex "/etc/squid/register_allowed_sites"
acl hcity_register_allowed_sites url_regex
"/etc/squid/hcity_register_allowed_sites"
http_access allow localnet register_allowed_sites
http_access deny backoffice_users backoffice_blocked_sites
http_access deny hcity_backoffice_users backoffice_blocked_sites
http_access allow backoffice_users backoffice_allowed_sites
http_access allow hcity_backoffice_users backoffice_allowed_sites
http_access allow register_users register_allowed_sites
http_access allow hcity_register_users hcity_register_allowed_sites
no_cache deny partycity
http_access deny all
#http_access allow manager localhost
#http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
#http_access deny CONNECT !SSL_ports
http_access allow CONNECT SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128 ssl-bump \
key=/etc/squid/pctysquid2sslcerts/pctysquid2prod.pkey \
cert=/etc/squid/pctysquid2sslcerts/pctysquid2prod.crt \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
sslproxy_cert_error allow all
always_direct allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /cache/squid 10000 16 256
# Leave coredumps in the first cache dir
#rdescoredump_dir /var/spool/squid
coredump_dir /var/log/squid/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
#url_rewrite_access allow all
#url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf
Cache.log
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown (1/0)
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown (1/0)
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown (1/0)
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown (1/0)
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown (1/0)
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Walter H.
2017-07-19 17:30:36 UTC
Permalink
Hello,

this seems not to be the problem, as the error messages are in
cache.log, which is not a browser problem ...

the question: are the SSL bumped sites in intranet, which use a self
signed CA cert itself, which squid doesn't know?
Post by Yuri
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
http://i.imgur.com/A153C7A.png
Post by Cherukuri, Naresh
Hi All,
I installed Squid version 3.5.20 on RHEL 7 and generated self-signed
CA certificates, My users are complaining about certificate errors.
When I looked at cache.log I see so many error messages like below.
Below is my squid.conf file. Any ideas how to address below errors.
Cache.log
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown (1/0)
2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD
1114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert
certificate unknown (1/0)
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown (1/0)
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown (1/0)
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown (1/0)
Yuri
2017-07-19 18:15:00 UTC
Permalink
This simple seems op does not installed proxy CA's public in clients. No
more.

And errors in cache.log (as well as client complaints) are unambiguously
shown.

All other ideas are your nonsense.
Post by Walter H.
Hello,
this seems not to be the problem, as the error messages are in
cache.log, which is not a browser problem ...
the question: are the SSL bumped sites in intranet, which use a self
signed CA cert itself, which squid doesn't know?
Post by Yuri
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
http://i.imgur.com/A153C7A.png
Post by Cherukuri, Naresh
Hi All,
I installed Squid version 3.5.20 on RHEL 7 and generated self-signed
CA certificates, My users are complaining about certificate errors.
When I looked at cache.log I see so many error messages like below.
Below is my squid.conf file. Any ideas how to address below errors.
Cache.log
2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD
689: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert
certificate unknown (1/0)
2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD
1114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert
certificate unknown (1/0)
2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD
146: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert
certificate unknown (1/0)
2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD
252: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert
certificate unknown (1/0)
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown (1/0)
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Yuri
2017-07-19 18:25:26 UTC
Permalink
One out of two. Either the Squid does not see the OpenSSL/system root
CAs bundle, or the proxy CA's public key is not installed in the
clients. It's all.
Post by Walter H.
Hello,
this seems not to be the problem, as the error messages are in
cache.log, which is not a browser problem ...
the question: are the SSL bumped sites in intranet, which use a self
signed CA cert itself, which squid doesn't know?
Post by Yuri
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
http://i.imgur.com/A153C7A.png
Post by Cherukuri, Naresh
Hi All,
I installed Squid version 3.5.20 on RHEL 7 and generated self-signed
CA certificates, My users are complaining about certificate errors.
When I looked at cache.log I see so many error messages like below.
Below is my squid.conf file. Any ideas how to address below errors.
Cache.log
2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD
689: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert
certificate unknown (1/0)
2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD
1114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert
certificate unknown (1/0)
2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD
146: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert
certificate unknown (1/0)
2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD
252: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert
certificate unknown (1/0)
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown (1/0)
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Cherukuri, Naresh
2017-07-19 20:49:02 UTC
Permalink
Thanks Yuri for quick turnover!

We inly installed root certificate on all clients. We didn’t install proxy CA’s public key on clients. So you suggestion fix that we need to install both certificate and proxy ca’s public key on clients.

Thanks,
Naresh

From: squid-users [mailto:squid-users-***@lists.squid-cache.org] On Behalf Of Yuri
Sent: Wednesday, July 19, 2017 2:25 PM
To: squid-***@lists.squid-cache.org
Subject: Re: [squid-users] Squid Version 3.5.20 Any Ideas


One out of two. Either the Squid does not see the OpenSSL/system root CAs bundle, or the proxy CA's public key is not installed in the clients. It's all.

19.07.2017 23:30, Walter H. пОшет:
Hello,

this seems not to be the problem, as the error messages are in cache.log, which is not a browser problem ...

the question: are the SSL bumped sites in intranet, which use a self signed CA cert itself, which squid doesn't know?

On 19.07.2017 17:36, Yuri wrote:

http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

http://i.imgur.com/A153C7A.png

19.07.2017 21:34, Cherukuri, Naresh пОшет:

Hi All,



I installed Squid version 3.5.20 on RHEL 7 and generated self-signed CA certificates, My users are complaining about certificate errors. When I looked at cache.log I see so many error messages like below. Below is my squid.conf file. Any ideas how to address below errors.




Cache.log



2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 689: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 1114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD 146: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 252: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 36: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)





_______________________________________________

squid-users mailing list

squid-***@lists.squid-cache.org<mailto:squid-***@lists.squid-cache.org>

http://lists.squid-cache.org/listinfo/squid-users
Yuri
2017-07-19 20:55:23 UTC
Permalink
No. Only proxy's CA public key. Private should remains on proxy only.
Post by Cherukuri, Naresh
Thanks Yuri for quick turnover!
We inly installed root certificate on all clients. We didn’t install
proxy CA’s public key on clients. So you suggestion fix that we need
to install both certificate and proxy ca’s public key on clients.
Thanks,
Naresh
*On Behalf Of *Yuri
*Sent:* Wednesday, July 19, 2017 2:25 PM
*Subject:* Re: [squid-users] Squid Version 3.5.20 Any Ideas
One out of two. Either the Squid does not see the OpenSSL/system root
CAs bundle, or the proxy CA's public key is not installed in the
clients. It's all.
Hello,
this seems not to be the problem, as the error messages are in
cache.log, which is not a browser problem ...
the question: are the SSL bumped sites in intranet, which use a
self signed CA cert itself, which squid doesn't know?
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
http://i.imgur.com/A153C7A.png
Hi All,
I installed Squid version 3.5.20 on RHEL 7 and generated
self-signed CA certificates, My users are complaining about
certificate errors. When I looked at cache.log I see so many
error messages like below. Below is my squid.conf file. Any
ideas how to address below errors.
Cache.log
2017/07/18 16:05:34 kid1| Error negotiating SSL connection on
FD 689: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3
alert certificate unknown (1/0)
2017/07/18 16:05:34 kid1| Error negotiating SSL connection on
FD 1114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3
alert certificate unknown (1/0)
2017/07/18 16:05:37 kid1| Error negotiating SSL connection on
FD 146: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3
alert certificate unknown (1/0)
2017/07/18 16:05:41 kid1| Error negotiating SSL connection on
FD 252: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3
alert certificate unknown (1/0)
2017/07/18 16:05:41 kid1| Error negotiating SSL connection on
FD 36: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert
certificate unknown (1/0)
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Cherukuri, Naresh
2017-07-19 21:04:37 UTC
Permalink
Yuri,

I am sorry I didn’t get you I already installed certificate on all clients(trusted root certificate authorities). You want me install proxy public key also on clients, if so were should I put the proxy public key. Below is my squid.conf file.

Squid.conf
key=/etc/squid/pctysquid2sslcerts/pctysquid2prod.pkey \ proxy ca public key??
cert=/etc/squid/pctysquid2sslcerts/pctysquid2prod.crt \ (installed certificate on IE all clients as a trusted root certificate authorities)


From: Yuri [mailto:***@gmail.com]
Sent: Wednesday, July 19, 2017 4:55 PM
To: Cherukuri, Naresh; squid-***@lists.squid-cache.org
Subject: Re: [squid-users] Squid Version 3.5.20 Any Ideas


No. Only proxy's CA public key. Private should remains on proxy only.

20.07.2017 2:49, Cherukuri, Naresh пОшет:
Thanks Yuri for quick turnover!

We inly installed root certificate on all clients. We didn’t install proxy CA’s public key on clients. So you suggestion fix that we need to install both certificate and proxy ca’s public key on clients.

Thanks,
Naresh

From: squid-users [mailto:squid-users-***@lists.squid-cache.org] On Behalf Of Yuri
Sent: Wednesday, July 19, 2017 2:25 PM
To: squid-***@lists.squid-cache.org<mailto:squid-***@lists.squid-cache.org>
Subject: Re: [squid-users] Squid Version 3.5.20 Any Ideas


One out of two. Either the Squid does not see the OpenSSL/system root CAs bundle, or the proxy CA's public key is not installed in the clients. It's all.

19.07.2017 23:30, Walter H. пОшет:
Hello,

this seems not to be the problem, as the error messages are in cache.log, which is not a browser problem ...

the question: are the SSL bumped sites in intranet, which use a self signed CA cert itself, which squid doesn't know?

On 19.07.2017 17:36, Yuri wrote:

http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

http://i.imgur.com/A153C7A.png

19.07.2017 21:34, Cherukuri, Naresh пОшет:

Hi All,



I installed Squid version 3.5.20 on RHEL 7 and generated self-signed CA certificates, My users are complaining about certificate errors. When I looked at cache.log I see so many error messages like below. Below is my squid.conf file. Any ideas how to address below errors.





Cache.log



2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 689: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 1114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD 146: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 252: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 36: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)






_______________________________________________

squid-users mailing list

squid-***@lists.squid-cache.org<mailto:squid-***@lists.squid-cache.org>

http://lists.squid-cache.org/listinfo/squid-users
Yuri
2017-07-19 21:10:10 UTC
Permalink
Aha,
Post by Cherukuri, Naresh
Yuri,
I am sorry I didn’t get you I already installed certificate on all
clients(trusted root certificate authorities). You want me install
proxy public key also on clients, if so were should I put the proxy
public key. Below is my squid.conf file.
Squid.conf
key=/etc/squid/pctysquid2sslcerts/pctysquid2prod.pkey \ proxy ca public key??
This is proxy private key AFAIK.
Post by Cherukuri, Naresh
cert=/etc/squid/pctysquid2sslcerts/pctysquid2prod.crt \(installed
certificate on IE all clients as a trusted root certificate authorities)
Yes, if it installed into clients - this is ok.

So. The only reason I can see - proxy can't see OpenSSL CA's bundle.

To make it work you should add to your squid's config one of this:

# TAG: sslproxy_cafile
# file containing CA certificates to use when verifying server
# certificates while proxying https:// URLs
#Default:
# none

# TAG: sslproxy_capath
# directory containing CA certificates to use when verifying
# server certificates while proxying https:// URLs
#Default:
# none

Proxy also should know about CA's uses for connection verification.
Post by Cherukuri, Naresh
*Sent:* Wednesday, July 19, 2017 4:55 PM
*Subject:* Re: [squid-users] Squid Version 3.5.20 Any Ideas
No. Only proxy's CA public key. Private should remains on proxy only.
Thanks Yuri for quick turnover!
We inly installed root certificate on all clients. We didn’t
install proxy CA’s public key on clients. So you suggestion fix
that we need to install both certificate and proxy ca’s public key
on clients.
Thanks,
Naresh
*From:*squid-users
*Sent:* Wednesday, July 19, 2017 2:25 PM
*Subject:* Re: [squid-users] Squid Version 3.5.20 Any Ideas
One out of two. Either the Squid does not see the OpenSSL/system
root CAs bundle, or the proxy CA's public key is not installed in
the clients. It's all.
Hello,
this seems not to be the problem, as the error messages are in
cache.log, which is not a browser problem ...
the question: are the SSL bumped sites in intranet, which use
a self signed CA cert itself, which squid doesn't know?
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
http://i.imgur.com/A153C7A.png
Hi All,
I installed Squid version 3.5.20 on RHEL 7 and generated
self-signed CA certificates, My users are complaining
about certificate errors. When I looked at cache.log I see
so many error messages like below. Below is my squid.conf
file. Any ideas how to address below errors.
Cache.log
2017/07/18 16:05:34 kid1| Error negotiating SSL connection
on FD 689: error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
(1/0)
2017/07/18 16:05:34 kid1| Error negotiating SSL connection
on FD 1114: error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
(1/0)
2017/07/18 16:05:37 kid1| Error negotiating SSL connection
on FD 146: error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
(1/0)
2017/07/18 16:05:41 kid1| Error negotiating SSL connection
on FD 252: error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
(1/0)
2017/07/18 16:05:41 kid1| Error negotiating SSL connection
on FD 36: error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
(1/0)
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Amos Jeffries
2017-07-20 00:55:09 UTC
Permalink
Post by Yuri
Aha,
Yuri,
I am sorry I didn’t get you I already installed certificate on all
clients(trusted root certificate authorities). You want me install
proxy public key also on clients, if so were should I put the proxy
public key. Below is my squid.conf file.
Squid.conf
key=/etc/squid/pctysquid2sslcerts/pctysquid2prod.pkey \ proxy ca public key??
This is proxy private key AFAIK.
Correct. It should be the proxy private key. If the public key is put in
there and startup actually succeeds I'm not sure what broken runtime
errors will occur - nothing good anyhow.

Also, note that cert= parameter should be configured *before* the key=
parameter so Squid loads them from the right place. The very latest
releases (v4+) will fail to start if the ordering is wrong, so best to
prepare for that now.


I suspect that part of the problem here is what is being configured in
that cert= parameter. For SSL-Bump ports in current Squid it needs to
contains the self-signed *CA* certificate that Squid is using to
generate other certs from, the key= being the private key of that CA cert.

If you generate a regular proxy cert and load it there (like normal
proxy cert= would use) the bumping process will get all broken.


The ConfigExample page Yuri linked to earlier had the exact and full
process to follow for setting up the multiple different certs, keys and
file types involved with SSL-Bump.
Post by Yuri
cert=/etc/squid/pctysquid2sslcerts/pctysquid2prod.crt \(installed
certificate on IE all clients as a trusted root certificate authorities)
Yes, if it installed into clients - this is ok.
So. The only reason I can see - proxy can't see OpenSSL CA's bundle.
# TAG: sslproxy_cafile
# file containing CA certificates to use when verifying server
# certificates while proxying https:// URLs
# none
# TAG: sslproxy_capath
# directory containing CA certificates to use when verifying
# server certificates while proxying https:// URLs
# none
Er, those are for Squid->server connections. You were correct about the
errors referring to client->Squid connections, so these are irrelevant.

If anything, the cafile= parameter of the ssl-bump port might be
needed. Then it should point at the same CA's found in the cert=
parameter (bit weird, but that is bugs in the SSL-Bump config design).

FTR: those particular errors occur when Squid accepts a connection from
a client, begins the TLS handshake and the client suddenly disconnects
before the handshake is complete.
The "certificate unknown" seems to be saying that either 1) the client
sent a client-cert to Squid and OpenSSL did not accept it, or 2) that
the client did not accept the auto-generated cert Squid sent.

If (1) is happening it s because the browser was not correctly
configured with the self-signed CA public cert.

If (2) is happening, then probably the cert=, key=, cafile= parameters
on the ssl-bump port are not configured right, OR browser was not
correctly configured with the self-signed CA public cert.

Or, maybe bugs in that particular Squid release SSL-Bump code. We are
constantly fixing them and 3.5.20 is now a whole year behind with
SSL-Bump fixes - many of them rather major behaviour fixes.


==> Best Practice to follow with SSL-Bump is that when having *any*
problems with the SSL-Bump process try the latest Squid release first
before spending time trying to figure it out.

Amos
Cherukuri, Naresh
2017-07-20 19:02:37 UTC
Permalink
Thank you Amos! Appreciate your help.

-----Original Message-----
From: squid-users [mailto:squid-users-***@lists.squid-cache.org] On Behalf Of Amos Jeffries
Sent: Wednesday, July 19, 2017 8:55 PM
To: squid-***@lists.squid-cache.org
Subject: Re: [squid-users] Squid Version 3.5.20 Any Ideas
Post by Yuri
Aha,
Yuri,
I am sorry I didn’t get you I already installed certificate on all
clients(trusted root certificate authorities). You want me install
proxy public key also on clients, if so were should I put the proxy
public key. Below is my squid.conf file.
Squid.conf
key=/etc/squid/pctysquid2sslcerts/pctysquid2prod.pkey \ proxy ca public key??
This is proxy private key AFAIK.
Correct. It should be the proxy private key. If the public key is put in there and startup actually succeeds I'm not sure what broken runtime errors will occur - nothing good anyhow.

Also, note that cert= parameter should be configured *before* the key= parameter so Squid loads them from the right place. The very latest releases (v4+) will fail to start if the ordering is wrong, so best to prepare for that now.


I suspect that part of the problem here is what is being configured in that cert= parameter. For SSL-Bump ports in current Squid it needs to contains the self-signed *CA* certificate that Squid is using to generate other certs from, the key= being the private key of that CA cert.

If you generate a regular proxy cert and load it there (like normal proxy cert= would use) the bumping process will get all broken.


The ConfigExample page Yuri linked to earlier had the exact and full
process to follow for setting up the multiple different certs, keys and
file types involved with SSL-Bump.
Post by Yuri
cert=/etc/squid/pctysquid2sslcerts/pctysquid2prod.crt \(installed
certificate on IE all clients as a trusted root certificate authorities)
Yes, if it installed into clients - this is ok.
So. The only reason I can see - proxy can't see OpenSSL CA's bundle.
# TAG: sslproxy_cafile
# file containing CA certificates to use when verifying server
# certificates while proxying https:// URLs
# none
# TAG: sslproxy_capath
# directory containing CA certificates to use when verifying
# server certificates while proxying https:// URLs
# none
Er, those are for Squid->server connections. You were correct about the
errors referring to client->Squid connections, so these are irrelevant.

If anything, the cafile= parameter of the ssl-bump port might be
needed. Then it should point at the same CA's found in the cert=
parameter (bit weird, but that is bugs in the SSL-Bump config design).

FTR: those particular errors occur when Squid accepts a connection from
a client, begins the TLS handshake and the client suddenly disconnects
before the handshake is complete.
The "certificate unknown" seems to be saying that either 1) the client
sent a client-cert to Squid and OpenSSL did not accept it, or 2) that
the client did not accept the auto-generated cert Squid sent.

If (1) is happening it s because the browser was not correctly
configured with the self-signed CA public cert.

If (2) is happening, then probably the cert=, key=, cafile= parameters
on the ssl-bump port are not configured right, OR browser was not
correctly configured with the self-signed CA public cert.

Or, maybe bugs in that particular Squid release SSL-Bump code. We are
constantly fixing them and 3.5.20 is now a whole year behind with
SSL-Bump fixes - many of them rather major behaviour fixes.


==> Best Practice to follow with SSL-Bump is that when having *any*
problems with the SSL-Bump process try the latest Squid release first
before spending time trying to figure it out.

Amos
_______________________________________________
squid-users mailing list
squid-***@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Yuri
2017-07-19 21:06:22 UTC
Permalink
Related OpenSSL public CA bundle - in theory it should be installed
together with OpenSSL.
Post by Cherukuri, Naresh
Thanks Yuri for quick turnover!
We inly installed root certificate on all clients. We didn’t install
proxy CA’s public key on clients. So you suggestion fix that we need
to install both certificate and proxy ca’s public key on clients.
Thanks,
Naresh
*On Behalf Of *Yuri
*Sent:* Wednesday, July 19, 2017 2:25 PM
*Subject:* Re: [squid-users] Squid Version 3.5.20 Any Ideas
One out of two. Either the Squid does not see the OpenSSL/system root
CAs bundle, or the proxy CA's public key is not installed in the
clients. It's all.
Hello,
this seems not to be the problem, as the error messages are in
cache.log, which is not a browser problem ...
the question: are the SSL bumped sites in intranet, which use a
self signed CA cert itself, which squid doesn't know?
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
http://i.imgur.com/A153C7A.png
Hi All,
I installed Squid version 3.5.20 on RHEL 7 and generated
self-signed CA certificates, My users are complaining about
certificate errors. When I looked at cache.log I see so many
error messages like below. Below is my squid.conf file. Any
ideas how to address below errors.
Cache.log
2017/07/18 16:05:34 kid1| Error negotiating SSL connection on
FD 689: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3
alert certificate unknown (1/0)
2017/07/18 16:05:34 kid1| Error negotiating SSL connection on
FD 1114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3
alert certificate unknown (1/0)
2017/07/18 16:05:37 kid1| Error negotiating SSL connection on
FD 146: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3
alert certificate unknown (1/0)
2017/07/18 16:05:41 kid1| Error negotiating SSL connection on
FD 252: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3
alert certificate unknown (1/0)
2017/07/18 16:05:41 kid1| Error negotiating SSL connection on
FD 36: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert
certificate unknown (1/0)
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Cherukuri, Naresh
2017-07-19 21:09:28 UTC
Permalink
Yuri,

I am new to squid I learned it through searching google. My question is I generated self-signed SSL certificates and install certificates on IE all clients. I didn’t install proxy public key. Can you tell me where I have to put proxy public key on clients. Appreciate you help!

Thanks,
Naresh

From: Yuri [mailto:***@gmail.com]
Sent: Wednesday, July 19, 2017 5:06 PM
To: Cherukuri, Naresh; squid-***@lists.squid-cache.org
Subject: Re: [squid-users] Squid Version 3.5.20 Any Ideas


Related OpenSSL public CA bundle - in theory it should be installed together with OpenSSL.

20.07.2017 2:49, Cherukuri, Naresh пОшет:
Thanks Yuri for quick turnover!

We inly installed root certificate on all clients. We didn’t install proxy CA’s public key on clients. So you suggestion fix that we need to install both certificate and proxy ca’s public key on clients.

Thanks,
Naresh

From: squid-users [mailto:squid-users-***@lists.squid-cache.org] On Behalf Of Yuri
Sent: Wednesday, July 19, 2017 2:25 PM
To: squid-***@lists.squid-cache.org<mailto:squid-***@lists.squid-cache.org>
Subject: Re: [squid-users] Squid Version 3.5.20 Any Ideas


One out of two. Either the Squid does not see the OpenSSL/system root CAs bundle, or the proxy CA's public key is not installed in the clients. It's all.

19.07.2017 23:30, Walter H. пОшет:
Hello,

this seems not to be the problem, as the error messages are in cache.log, which is not a browser problem ...

the question: are the SSL bumped sites in intranet, which use a self signed CA cert itself, which squid doesn't know?

On 19.07.2017 17:36, Yuri wrote:

http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

http://i.imgur.com/A153C7A.png

19.07.2017 21:34, Cherukuri, Naresh пОшет:

Hi All,



I installed Squid version 3.5.20 on RHEL 7 and generated self-signed CA certificates, My users are complaining about certificate errors. When I looked at cache.log I see so many error messages like below. Below is my squid.conf file. Any ideas how to address below errors.





Cache.log



2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 689: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 1114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD 146: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 252: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 36: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)






_______________________________________________

squid-users mailing list

squid-***@lists.squid-cache.org<mailto:squid-***@lists.squid-cache.org>

http://lists.squid-cache.org/listinfo/squid-users
Yuri
2017-07-19 21:15:14 UTC
Permalink
Post by Cherukuri, Naresh
Yuri,
I am new to squid I learned it through searching google. My question
is I generated self-signed SSL certificates and install certificates
on IE all clients. I didn’t install proxy public key. Can you tell me
where I have to put proxy public key on clients. Appreciate you help!
Ah. Based on my experience,

you require to take *public* proxy key (not private, your use keypair to
setup ssl-bump configuration; do not mistake it) and install it at least
into two places on client's PC:

1. Into system trusted CA storage (uses by IE/Chrome/some IM etc.)
2. Into Firefox own storage (if applicable).
3. Sometimes it is also required to setup proxy's CA public key into old
JRE existing on clients. But AFAIK modern JRE uses system CA's storage
and no more required this step.

Actually, this should be enough.
Post by Cherukuri, Naresh
Thanks,
Naresh
*Sent:* Wednesday, July 19, 2017 5:06 PM
*Subject:* Re: [squid-users] Squid Version 3.5.20 Any Ideas
Related OpenSSL public CA bundle - in theory it should be installed together with OpenSSL.
Thanks Yuri for quick turnover!
We inly installed root certificate on all clients. We didn’t
install proxy CA’s public key on clients. So you suggestion fix
that we need to install both certificate and proxy ca’s public key
on clients.
Thanks,
Naresh
*From:*squid-users
*Sent:* Wednesday, July 19, 2017 2:25 PM
*Subject:* Re: [squid-users] Squid Version 3.5.20 Any Ideas
One out of two. Either the Squid does not see the OpenSSL/system
root CAs bundle, or the proxy CA's public key is not installed in
the clients. It's all.
Hello,
this seems not to be the problem, as the error messages are in
cache.log, which is not a browser problem ...
the question: are the SSL bumped sites in intranet, which use
a self signed CA cert itself, which squid doesn't know?
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
http://i.imgur.com/A153C7A.png
Hi All,
I installed Squid version 3.5.20 on RHEL 7 and generated
self-signed CA certificates, My users are complaining
about certificate errors. When I looked at cache.log I see
so many error messages like below. Below is my squid.conf
file. Any ideas how to address below errors.
Cache.log
2017/07/18 16:05:34 kid1| Error negotiating SSL connection
on FD 689: error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
(1/0)
2017/07/18 16:05:34 kid1| Error negotiating SSL connection
on FD 1114: error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
(1/0)
2017/07/18 16:05:37 kid1| Error negotiating SSL connection
on FD 146: error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
(1/0)
2017/07/18 16:05:41 kid1| Error negotiating SSL connection
on FD 252: error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
(1/0)
2017/07/18 16:05:41 kid1| Error negotiating SSL connection
on FD 36: error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
(1/0)
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Cherukuri, Naresh
2017-07-20 19:02:57 UTC
Permalink
Thank you Yuri! Appreciate your help.

From: Yuri [mailto:***@gmail.com]
Sent: Wednesday, July 19, 2017 5:15 PM
To: Cherukuri, Naresh; squid-***@lists.squid-cache.org
Subject: Re: [squid-users] Squid Version 3.5.20 Any Ideas




20.07.2017 3:09, Cherukuri, Naresh пОшет:
Yuri,

I am new to squid I learned it through searching google. My question is I generated self-signed SSL certificates and install certificates on IE all clients. I didn’t install proxy public key. Can you tell me where I have to put proxy public key on clients. Appreciate you help!
Ah. Based on my experience,

you require to take *public* proxy key (not private, your use keypair to setup ssl-bump configuration; do not mistake it) and install it at least into two places on client's PC:

1. Into system trusted CA storage (uses by IE/Chrome/some IM etc.)
2. Into Firefox own storage (if applicable).
3. Sometimes it is also required to setup proxy's CA public key into old JRE existing on clients. But AFAIK modern JRE uses system CA's storage and no more required this step.

Actually, this should be enough.


Thanks,
Naresh

From: Yuri [mailto:***@gmail.com]
Sent: Wednesday, July 19, 2017 5:06 PM
To: Cherukuri, Naresh; squid-***@lists.squid-cache.org<mailto:squid-***@lists.squid-cache.org>
Subject: Re: [squid-users] Squid Version 3.5.20 Any Ideas


Related OpenSSL public CA bundle - in theory it should be installed together with OpenSSL.

20.07.2017 2:49, Cherukuri, Naresh пОшет:
Thanks Yuri for quick turnover!

We inly installed root certificate on all clients. We didn’t install proxy CA’s public key on clients. So you suggestion fix that we need to install both certificate and proxy ca’s public key on clients.

Thanks,
Naresh

From: squid-users [mailto:squid-users-***@lists.squid-cache.org] On Behalf Of Yuri
Sent: Wednesday, July 19, 2017 2:25 PM
To: squid-***@lists.squid-cache.org<mailto:squid-***@lists.squid-cache.org>
Subject: Re: [squid-users] Squid Version 3.5.20 Any Ideas


One out of two. Either the Squid does not see the OpenSSL/system root CAs bundle, or the proxy CA's public key is not installed in the clients. It's all.

19.07.2017 23:30, Walter H. пОшет:
Hello,

this seems not to be the problem, as the error messages are in cache.log, which is not a browser problem ...

the question: are the SSL bumped sites in intranet, which use a self signed CA cert itself, which squid doesn't know?

On 19.07.2017 17:36, Yuri wrote:

http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

http://i.imgur.com/A153C7A.png

19.07.2017 21:34, Cherukuri, Naresh пОшет:

Hi All,



I installed Squid version 3.5.20 on RHEL 7 and generated self-signed CA certificates, My users are complaining about certificate errors. When I looked at cache.log I see so many error messages like below. Below is my squid.conf file. Any ideas how to address below errors.






Cache.log



2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 689: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 1114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD 146: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 252: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 36: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)







_______________________________________________

squid-users mailing list

squid-***@lists.squid-cache.org<mailto:squid-***@lists.squid-cache.org>

http://lists.squid-cache.org/listinfo/squid-users

Continue reading on narkive:
Loading...