[squid-users] CPU Load 100% after implementing SSL Bump ....
Amos Jeffries
squid3 at treenet.co.nz
Mon May 23 09:11:41 UTC 2016
On 23/05/2016 8:18 p.m., Sagar Malve wrote:
> Hi Team,
>
> Squid - Version 3.5.13
>
>
> Please find the below Squid Cache Logs
> 2016/05/23 13:35:55 kid1| Error negotiating SSL connection on FD 138:
> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)
> 2016/05/23 13:35:55 kid1| Error negotiating SSL connection on FD 457:
> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)
> 2016/05/23 13:36:00 kid1| Error negotiating SSL connection on FD 33:
> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)
> 2016/05/23 13:36:01 kid1| Error negotiating SSL connection on FD 438:
> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)
> 2016/05/23 13:36:05 kid1| Error negotiating SSL connection on FD 555: (104)
> Connection reset by peer
<snip>
>
> ----------------------------Cache log End
> --------------------------------------
>
> Do we need to update openssl? I got to know these from the forum previous
> post ....
> If we need to update the openssl then where can we find the updated version
> of CA Certs ....
>
OpenSSL and the global "Trusted CA" certificates are separate things.
Keeping either of those to date would be a good idea even if doing so
does not solve your issue. Whatever provider was used to get your
current versions should have the latest available if you need updates.
You do need to upgrade your Squid though. Current stable is 3.5.19.
If the problems persist with that, you may want to try a 4.x beta
release. There are additional fixes only available there that might be
of use.
Your current 3.5.13 version and all later ones contain the
<http://www.squid-cache.org/Doc/config/sslproxy_foreign_intermediate_certs/>
directive for loading intermediate CA certs that some servers do not
provide. You can find talk about it and an archive maintained by Yuri in
other recent threads on this list. That can resolve some of the "unknown
ca" occurances.
Amos
More information about the squid-users
mailing list