[squid-users] 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

David Touzeau david at articatech.com
Thu Apr 27 20:27:47 UTC 2017 

Hi yuri

I did not know if squid have Symantec intermediate certificate
Squid is installed as default...
Any howto ?


-----Message d'origine-----
De : squid-users [mailto:squid-users-bounces at lists.squid-cache.org] De la part de Yuri Voinov
Envoyé : jeudi 27 avril 2017 22:09
À : squid-users at lists.squid-cache.org
Objet : Re: [squid-users] 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Look. It can be intermediate certificates issue.

Does Squid have Symantec intermediate certificates?


27.04.2017 22:47, David Touzeau пишет:
> Hi,
> I'm unable to access to https://www.boutique.afnor.org website.
> I would like to know if this issue cannot be fixed and must deny bump 
> website to fix it.
> Without Squid the website is correctly displayed
>
> Squid claim an error page with "(71) Protocol error (TLS code:
> SQUID_ERR_SSL_HANDSHAKE)"
>
> In cache.log: "Error negotiating SSL on FD 17:
> error:00000000:lib(0):func(0):reason(0) (5/0/0)"
>
> Using the following configuration:
>
> http_port 0.0.0.0:3128  name=MyPortNameID20 ssl-bump 
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB 
> cert=/etc/squid3/ssl/0c451f46b4d05031560d8195f30165cb.dyn
> sslproxy_foreign_intermediate_certs /etc/squid3/intermediate_ca.pem 
> sslcrtd_program /lib/squid3/ssl_crtd -s 
> /var/lib/squid/session/ssl/ssl_db -M 8MB sslcrtd_children 16 startup=5 
> idle=1 acl FakeCert ssl::server_name .apple.com acl FakeCert 
> ssl::server_name .icloud.com acl FakeCert ssl::server_name 
> .mzstatic.com acl FakeCert ssl::server_name .dropbox.com acl ssl_step1 
> at_step SslBump1 acl ssl_step2 at_step SslBump2 acl ssl_step3 at_step 
> SslBump3 ssl_bump peek ssl_step1 ssl_bump splice FakeCert ssl_bump 
> bump ssl_step2 all ssl_bump splice all
>
> sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression sslproxy_cipher 
> ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:
> !aNULL
> :!eNULL
> sslproxy_flags DONT_VERIFY_PEER
> sslproxy_cert_error allow all
>
>
>
> Openssl info
> ----------------------------------------------------------------------
> ------
> ----------------------------------------------------------------------
> ------
> ---
>
> openssl s_client -connect 195.115.26.58:443 -showcerts
>
> CONNECTED(00000003)
> depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU 
> = "(c)
> 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 
> Public Primary Certification Authority - G5 verify return:1
> depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, 
> CN = Symantec Class 3 Secure Server CA - G4 verify return:1
> depth=0 C = FR, ST = Seine Saint Denis, L = ST DENIS, O = ASSOCIATION 
> FRANCAISE DE NORMALISATION, OU = ASSOCIATION FRANCAISE DE 
> NORMALISATION, CN = www.boutique.afnor.org verify return:1
> ---
> Certificate chain
>  0 s:/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE DE 
> NORMALISATION/OU=ASSOCIATION FRANCAISE DE 
> NORMALISATION/CN=www.boutique.afnor.org
>    i:/C=US/O=Symantec Corporation/OU=Symantec Trust 
> Network/CN=Symantec Class 3 Secure Server CA - G4 -----BEGIN 
> CERTIFICATE----- ../..
> -----END CERTIFICATE-----
>  1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust 
> Network/CN=Symantec Class 3 Secure Server CA - G4
>    i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 
> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public 
> Primary Certification Authority - G5 -----BEGIN CERTIFICATE----- ../..
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE 
> DE NORMALISATION/OU=ASSOCIATION FRANCAISE DE 
> NORMALISATION/CN=www.boutique.afnor.org
> issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust 
> Network/CN=Symantec Class 3 Secure Server CA - G4
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 3105 bytes and written 616 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit 
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : AES128-SHA
>     Session-ID:
> 833B0000A2346F50C5AAFC6B5188B4EBD9304CD25411BECFF0713F8D76C65D9D
>     Session-ID-ctx:
>     Master-Key:
> D2DF6C62264D03D7D44AF44EB8C0B1B7AD0E650D34DF6EBEB1CBEBFE4F30CB9C6F5080
> AA94F5
> D6B5955DD8DF06608416
>     Key-Arg   : None
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     Start Time: 1493311275
>     Timeout   : 300 (sec)
>     Verify return code: 0 (ok)
> ---
> read:errno=0
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

--
Bugs to the Future

More information about the squid-users mailing list