[squid-users] squid https intercept mode and ubuntu third party repositories issue

Amos Jeffries squid3 at treenet.co.nz
Tue Sep 20 10:28:15 UTC 2016


On 20/09/2016 4:42 a.m., Hardik Dangar wrote:
> Hello,
> 
> I am using squid 3.5.12(detailed version info is below) on Ubuntu 16.04.1
> LTS server. My squid config is at, http://pastebin.com/raw/b8RZ67u9
> 
> I have configured squid as intercept proxy bumping all SSL https
> connections. Setup is working fine for many things like browsing,
> even on command line like wget i can download via https as i have installed
> root certificate within my client os.
> 
> My issue is whenever i try to add extra repository via command, i.e.
> sudo add-apt-repository ppa:ondrej/php
> command fails with output "Cannot add PPA: 'ppa:~ondrej/ubuntu/php'.ERROR:
> '~ondrej' user or team does not exist." and in squid's cache and access.log
> following entries can be located for this request,
> 
> ==> /var/log/squid/access.log <==
> 1474302162.378    439 192.168.1.66 TAG_NONE/200 0 CONNECT 91.189.89.223:443
> - ORIGINAL_DST/91.189.89.223 -
> 
> ==> /var/log/squid/cache.log <==
> 2016/09/19 21:52:42 kid1| Error negotiating SSL connection on FD 21:
> error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (1/0)
> 2016/09/19 21:52:42 kid1| hold write on SSL connection on FD 22
> 
> ==> /var/log/squid/access.log <==
> 1474302162.885    403 192.168.1.66 TAG_NONE/200 0 CONNECT 91.189.89.223:443
> - ORIGINAL_DST/91.189.89.223 -
> 
> ==> /var/log/squid/cache.log <==
> 2016/09/19 21:52:42 kid1| Error negotiating SSL connection on FD 21:
> error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (1/0)
> 
> in the above output 192.168.1.66 is my client requesting that request and
> as you can see in cache.log there is certificate negotiation error. I have
> tried to fiddle with all options provided at http://wiki.squid-cache.org/
> ConfigExamples/Intercept/SslBumpExplicit but it seems i am out of luck
> after almost half of my day battling this issue.
> 
> Can someone tell me they are successful with this issue? if so can you
> share your squid.conf relevant section?
> 
> $ squid -v
> Squid Cache: Version 3.5.12

Ubuntu Squid package does not build with SSL functionality.

When re-building your Squid with SSL-Bump features it is important to
always use teh very latest Squid release. SSL/TLS and bumping are part
of an ongoing arms race situation. Things are constantly changing and
software from as little as a year ago is unlikly to work 100% well with
intercepting ('bumping') encryption from today.

First thing to try is to rebuild with squid 3.5.20 or .21 and see if the
problem remains.

Amos



More information about the squid-users mailing list