[squid-users] 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

David Touzeau david at articatech.com
Thu Apr 27 21:12:07 UTC 2017 

Thanks Yuri

 ! but i have still have the error " Error negotiating SSL on FD 13: 
error:00000000:lib(0):func(0):reason(0) (5/0/0) " and cannot browse to site 
( as i seen you can with your squid...??? )

Created a file /etc/squid3/cabundle.pem

Added Symantec certificates available here:
https://knowledge.symantec.com/kb/index?page=content&actp=CROSSLINK&id=INFO2047

add

sslproxy_foreign_intermediate_certs  /etc/squid3/cabundle.pem

and perform a squid -k reconfigure

Missing something ???

Best regards

-----Message d'origine-----
De : Yuri Voinov [mailto:yvoinov at gmail.com]
Envoyé : jeudi 27 avril 2017 22:52
À : David Touzeau <david at articatech.com>; squid-users at lists.squid-cache.org
Objet : Re: [squid-users] 3.5.25: (71) Protocol error (TLS code: 
SQUID_ERR_SSL_HANDSHAKE)

Squid can't have any intermediate certificates. As by as root CA's.

You can use this:

#  TAG: sslproxy_foreign_intermediate_certs
#    Many origin servers fail to send their full server certificate
#    chain for verification, assuming the client already has or can
#    easily locate any missing intermediate certificates.
#
#    Squid uses the certificates from the specified file to fill in
#    these missing chains when trying to validate origin server
#    certificate chains.
#
#    The file is expected to contain zero or more PEM-encoded
#    intermediate certificates. These certificates are not treated
#    as trusted root certificates, and any self-signed certificate in
#    this file will be ignored.
#Default:
# none

However, you should identiry and collect them by yourself.

The biggest problem:

Instead of root CA's, which can be taken from Mozilla's, intermediate CAs 
spreaded over CA's providers, have much shorter valid period (most cases up 
to 5-7 years) and, by this reason, should be continiously maintained by 
proxy admin.

Also, remove this:

sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_error allow all

>From your config. Don't. Never. This is completely disable ANY security 
checks for certificates, which leads to giant vulnerability to your users.
ssl_proxy_cert_error should be restricted by very specific ACL(s) in your 
config only for number of sites you trust.

28.04.2017 2:27, David Touzeau пишет:
> Hi yuri
>
> I did not know if squid have Symantec intermediate certificate Squid
> is installed as default...
> Any howto ?
>
>
> -----Message d'origine-----
> De : squid-users [mailto:squid-users-bounces at lists.squid-cache.org] De
> la part de Yuri Voinov Envoyé : jeudi 27 avril 2017 22:09 À :
> squid-users at lists.squid-cache.org Objet : Re: [squid-users] 3.5.25:
> (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
>
> Look. It can be intermediate certificates issue.
>
> Does Squid have Symantec intermediate certificates?
>
>
> 27.04.2017 22:47, David Touzeau пишет:
>> Hi,
>> I'm unable to access to https://www.boutique.afnor.org website.
>> I would like to know if this issue cannot be fixed and must deny bump
>> website to fix it.
>> Without Squid the website is correctly displayed
>>
>> Squid claim an error page with "(71) Protocol error (TLS code:
>> SQUID_ERR_SSL_HANDSHAKE)"
>>
>> In cache.log: "Error negotiating SSL on FD 17:
>> error:00000000:lib(0):func(0):reason(0) (5/0/0)"
>>
>> Using the following configuration:
>>
>> http_port 0.0.0.0:3128  name=MyPortNameID20 ssl-bump
>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>> cert=/etc/squid3/ssl/0c451f46b4d05031560d8195f30165cb.dyn
>> sslproxy_foreign_intermediate_certs /etc/squid3/intermediate_ca.pem
>> sslcrtd_program /lib/squid3/ssl_crtd -s
>> /var/lib/squid/session/ssl/ssl_db -M 8MB sslcrtd_children 16
>> startup=5
>> idle=1 acl FakeCert ssl::server_name .apple.com acl FakeCert
>> ssl::server_name .icloud.com acl FakeCert ssl::server_name
>> .mzstatic.com acl FakeCert ssl::server_name .dropbox.com acl
>> ssl_step1 at_step SslBump1 acl ssl_step2 at_step SslBump2 acl
>> ssl_step3 at_step
>> SslBump3 ssl_bump peek ssl_step1 ssl_bump splice FakeCert ssl_bump
>> bump ssl_step2 all ssl_bump splice all
>>
>> sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression sslproxy_cipher
>> ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:
>> !aNULL
>> :!eNULL
>> sslproxy_flags DONT_VERIFY_PEER
>> sslproxy_cert_error allow all
>>
>>
>>
>> Openssl info
>> ---------------------------------------------------------------------
>> -
>> ------
>> ---------------------------------------------------------------------
>> -
>> ------
>> ---
>>
>> openssl s_client -connect 195.115.26.58:443 -showcerts
>>
>> CONNECTED(00000003)
>> depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU
>> = "(c)
>> 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3
>> Public Primary Certification Authority - G5 verify return:1
>> depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust
>> Network, CN = Symantec Class 3 Secure Server CA - G4 verify return:1
>> depth=0 C = FR, ST = Seine Saint Denis, L = ST DENIS, O = ASSOCIATION
>> FRANCAISE DE NORMALISATION, OU = ASSOCIATION FRANCAISE DE
>> NORMALISATION, CN = www.boutique.afnor.org verify return:1
>> ---
>> Certificate chain
>>  0 s:/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE DE
>> NORMALISATION/OU=ASSOCIATION FRANCAISE DE
>> NORMALISATION/CN=www.boutique.afnor.org
>>    i:/C=US/O=Symantec Corporation/OU=Symantec Trust
>> Network/CN=Symantec Class 3 Secure Server CA - G4 -----BEGIN
>> CERTIFICATE----- ../..
>> -----END CERTIFICATE-----
>>  1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust
>> Network/CN=Symantec Class 3 Secure Server CA - G4
>>    i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
>> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
>> Primary Certification Authority - G5 -----BEGIN CERTIFICATE----- ../..
>> -----END CERTIFICATE-----
>> ---
>> Server certificate
>> subject=/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE
>> DE NORMALISATION/OU=ASSOCIATION FRANCAISE DE
>> NORMALISATION/CN=www.boutique.afnor.org
>> issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust
>> Network/CN=Symantec Class 3 Secure Server CA - G4
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 3105 bytes and written 616 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>>     Protocol  : TLSv1
>>     Cipher    : AES128-SHA
>>     Session-ID:
>> 833B0000A2346F50C5AAFC6B5188B4EBD9304CD25411BECFF0713F8D76C65D9D
>>     Session-ID-ctx:
>>     Master-Key:
>> D2DF6C62264D03D7D44AF44EB8C0B1B7AD0E650D34DF6EBEB1CBEBFE4F30CB9C6F508
>> 0
>> AA94F5
>> D6B5955DD8DF06608416
>>     Key-Arg   : None
>>     PSK identity: None
>>     PSK identity hint: None
>>     SRP username: None
>>     Start Time: 1493311275
>>     Timeout   : 300 (sec)
>>     Verify return code: 0 (ok)
>> ---
>> read:errno=0
>>
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> --
> Bugs to the Future
>

--
Bugs to the Future

More information about the squid-users mailing list