[squid-users] [3.5.9]: Error negotiating SSL connection on FD 12: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

Amos Jeffries squid3 at treenet.co.nz
Fri Oct 2 02:49:58 UTC 2015


On 2/10/2015 11:18 a.m., David Touzeau wrote:
> 
> Dear
> 
> I'm using Squid Cache: Version 3.5.9-20150922-r13918 in transparent mode
> with SSL hooked
> In my config, i did not bump any site ( just to pass SSL protocol to
> squid in transparent mode)
> 
> I'm trying to connect to https://raj2796.wordpress.com
> 
> In cache.log
> 
> 2015/10/02 00:07:05 kid1| Accepting NAT intercepted SSL bumped HTTPS
> Socket connections at local=0.0.0.0:53695 remote=[::] FD 100 flags=41
> 2015/10/02 00:07:05 kid1| Accepting ICP messages on [::]:3130
> 2015/10/02 00:07:05 kid1| Sending ICP messages from [::]:3130
> 2015/10/02 00:07:05 kid1| Accepting SNMP messages on [::]:3401
> 2015/10/02 00:07:10 kid1| Error negotiating SSL connection on FD 12:
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown (1/0)
> 2015/10/02 00:07:20 kid1| Error negotiating SSL connection on FD 17:
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown (1/0)
> 2015/10/02 00:07:21 kid1| Error negotiating SSL connection on FD 17:
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown (1/0)
> 2015/10/02 00:07:21 kid1| Error negotiating SSL connection on FD 17:
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown (1/0)
> 2015/10/02 00:09:10 kid1| Error negotiating SSL connection on FD 114:
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown (1/0)
> 
> And i'm unable to display the web site, browser is freeze when trying to
> open website...
> 
> How can i bypass this website and force squid to not analyze certificate
> on *.wordpress.com ?
> 

Couple of problems...

> 
> My config
> https_port 0.0.0.0:53695  intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/etc/squid3/ssl/cb623e9bfc65772f68b84393604cd6ea.dyn
> options=NO_SSLv3 dhparams=/etc/squid3/ssl/dhparam.pem

No SSLv3, but SSLv2 is allowed. TLS version negotiation relies on a
range of protocol versions from N to N+x being selectable. If you poke
holes by denying one version in the middle problems arise.

NP: SSLv2 was only removed in Squid-4.

This alone is probably your problem. But there is more you should fix to
prevent later troubles.


> acl ssl_step1 at_step SslBump1
> acl ssl_step2 at_step SslBump2
> acl ssl_step3 at_step SslBump3
> ssl_bump peek ssl_step1
> ssl_bump splice all

With splice none of the ssl_proxy_* options are relevant. Apart from
initial peeking a few bytes the TLS/SSL should be blindly tunnelled
between client and server.

We intend the above config to operate as if the client has sent an
expicit-proxy a CONNECT and Squid without SSL support had received and
enacted it. Sans bugs we have not found yet, that is how 3.5.8 and later
operate.


> sslproxy_cipher
> EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
> 

This tells Squid to use EEC* and EC* ciphers. Squid-3.5 and older do not
support those.


> sslproxy_version 0
> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
> sslproxy_cert_error allow all


Amos


More information about the squid-users mailing list