[squid-users] squid https intercept mode and ubuntu third party repositories issue

Hardik Dangar hardikdangar+squid at gmail.com
Tue Sep 20 11:59:11 UTC 2016


Amos,
Thank you for your reply.
I have version 3.5.12 compiled with Debian rules example provided here,
http://docs.diladele.com/administrator_guide_4_5/install/ubuntu14/tools.html

Do you think I could patch squid from 3.5.12 to 3.5.21 via patches
available at http://www.squid-cache.org/Versions/v3/3.5/
Or I could download tar.gz file and replace files from that folder to
Debian source folder ?

do i need any extra tools to build squid 3.5.21?


On Tue, Sep 20, 2016 at 3:58 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 20/09/2016 4:42 a.m., Hardik Dangar wrote:
> > Hello,
> >
> > I am using squid 3.5.12(detailed version info is below) on Ubuntu 16.04.1
> > LTS server. My squid config is at, http://pastebin.com/raw/b8RZ67u9
> >
> > I have configured squid as intercept proxy bumping all SSL https
> > connections. Setup is working fine for many things like browsing,
> > even on command line like wget i can download via https as i have
> installed
> > root certificate within my client os.
> >
> > My issue is whenever i try to add extra repository via command, i.e.
> > sudo add-apt-repository ppa:ondrej/php
> > command fails with output "Cannot add PPA: 'ppa:~ondrej/ubuntu/php'.
> ERROR:
> > '~ondrej' user or team does not exist." and in squid's cache and
> access.log
> > following entries can be located for this request,
> >
> > ==> /var/log/squid/access.log <==
> > 1474302162.378    439 192.168.1.66 TAG_NONE/200 0 CONNECT
> 91.189.89.223:443
> > - ORIGINAL_DST/91.189.89.223 -
> >
> > ==> /var/log/squid/cache.log <==
> > 2016/09/19 21:52:42 kid1| Error negotiating SSL connection on FD 21:
> > error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (1/0)
> > 2016/09/19 21:52:42 kid1| hold write on SSL connection on FD 22
> >
> > ==> /var/log/squid/access.log <==
> > 1474302162.885    403 192.168.1.66 TAG_NONE/200 0 CONNECT
> 91.189.89.223:443
> > - ORIGINAL_DST/91.189.89.223 -
> >
> > ==> /var/log/squid/cache.log <==
> > 2016/09/19 21:52:42 kid1| Error negotiating SSL connection on FD 21:
> > error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (1/0)
> >
> > in the above output 192.168.1.66 is my client requesting that request and
> > as you can see in cache.log there is certificate negotiation error. I
> have
> > tried to fiddle with all options provided at
> http://wiki.squid-cache.org/
> > ConfigExamples/Intercept/SslBumpExplicit but it seems i am out of luck
> > after almost half of my day battling this issue.
> >
> > Can someone tell me they are successful with this issue? if so can you
> > share your squid.conf relevant section?
> >
> > $ squid -v
> > Squid Cache: Version 3.5.12
>
> Ubuntu Squid package does not build with SSL functionality.
>
> When re-building your Squid with SSL-Bump features it is important to
> always use teh very latest Squid release. SSL/TLS and bumping are part
> of an ongoing arms race situation. Things are constantly changing and
> software from as little as a year ago is unlikly to work 100% well with
> intercepting ('bumping') encryption from today.
>
> First thing to try is to rebuild with squid 3.5.20 or .21 and see if the
> problem remains.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160920/86fae107/attachment-0001.html>


More information about the squid-users mailing list