[squid-users] squid https intercept mode and ubuntu third party repositories issue

Mon Sep 19 16:42:09 UTC 2016

Hello,

I am using squid 3.5.12(detailed version info is below) on Ubuntu 16.04.1
LTS server. My squid config is at, http://pastebin.com/raw/b8RZ67u9

I have configured squid as intercept proxy bumping all SSL https
connections. Setup is working fine for many things like browsing,
even on command line like wget i can download via https as i have installed
root certificate within my client os.

My issue is whenever i try to add extra repository via command, i.e.
sudo add-apt-repository ppa:ondrej/php
command fails with output "Cannot add PPA: 'ppa:~ondrej/ubuntu/php'.ERROR:
'~ondrej' user or team does not exist." and in squid's cache and access.log
following entries can be located for this request,

==> /var/log/squid/access.log <==
1474302162.378    439 192.168.1.66 TAG_NONE/200 0 CONNECT 91.189.89.223:443
- ORIGINAL_DST/91.189.89.223 -

==> /var/log/squid/cache.log <==
2016/09/19 21:52:42 kid1| Error negotiating SSL connection on FD 21:
error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (1/0)
2016/09/19 21:52:42 kid1| hold write on SSL connection on FD 22

==> /var/log/squid/access.log <==
1474302162.885    403 192.168.1.66 TAG_NONE/200 0 CONNECT 91.189.89.223:443
- ORIGINAL_DST/91.189.89.223 -

==> /var/log/squid/cache.log <==
2016/09/19 21:52:42 kid1| Error negotiating SSL connection on FD 21:
error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (1/0)

in the above output 192.168.1.66 is my client requesting that request and
as you can see in cache.log there is certificate negotiation error. I have
tried to fiddle with all options provided at http://wiki.squid-cache.org/
ConfigExamples/Intercept/SslBumpExplicit but it seems i am out of luck
after almost half of my day battling this issue.

Can someone tell me they are successful with this issue? if so can you
share your squid.conf relevant section?

$ squid -v
Squid Cache: Version 3.5.12
Service Name: squid
Ubuntu linux
configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
'--libexecdir=${prefix}/lib/squid3' '--srcdir=.'
'--disable-maintainer-mode' '--disable-dependency-tracking'
'--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fPIE
-fstack-protector-strong -Wformat -Werror=format-security
-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--with-openssl'
'--enable-ssl-crtd' '--enable-inline' '--disable-arch-native'
'--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-icap-client'
'--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,
getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
'--enable-auth-digest=file,LDAP'
'--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm'
'--enable-external-acl-helpers=file_userip,kerberos_
ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group'
'--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi'
'--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation'
'--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536'
'--with-large-files' '--with-default-user=proxy'
'--enable-build-info=Ubuntu linux' '--enable-linux-netfilter'
'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE
-fstack-protector-strong -Wformat -Werror=format-security -Wall'
'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'
'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE
-fstack-protector-strong -Wformat -Werror=format-security'
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160919/0c41762e/attachment-0001.html>