[squid-users] SSL3_GET_SERVER_CERTIFICATE failed

Yuri yvoinov at gmail.com
Mon Dec 11 11:59:22 UTC 2017 

In practice POST url always better to get splice. This prevents much errors.

SSL3_GET_SERVER_CERTIFICATE itself means that some client application
trying to establish secure connection uses old SSLv3 protocol. This
applications also better to splice, if not possible to upgrade
applications (often it is not possible).


11.12.2017 7:06, G~D~Lunatic пишет:
> my squid is a transparent proxy.
> when i use WeChat client upload file or picture, it failed.
> the access.log shows that
> 1512953345.798     75 192.168.51.15 TAG_NONE/200 0 CONNECT
> 111.206.23.97:443 - ORIGINAL_DST/111.206.23.97 -
> 1512953345.805      0 192.168.51.15 TAG_NONE/503 4380 POST
> https://msg.71.am/v5/ypt/hcdn_multicurl - HIER_NONE/- text/html
> 1512953349.713     10 192.168.51.15 TAG_NONE/200 0 CONNECT
> 101.226.152.108:443 - HIER_NONE/- -
> 1512953350.931     10 192.168.51.15 TAG_NONE/200 0 CONNECT
> 123.151.76.49:443 - HIER_NONE/- -
> 1512953354.059     11 192.168.51.15 TAG_NONE/200 0 CONNECT
> 123.151.76.49:443 - HIER_NONE/- -
>
> i used wireshark catch the package, Encrypted Alert was shown.
> i want to know where the problem or how i can do.
> Here is my configure
>
> https_port 192.168.51.200:3129 intercept ssl-bump connection-auth=off
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/usr/local/squid/ssl_cert/myCA.pem
> key=/usr/local/squid/ssl_cert/myCA.pem options=NO_SSLv3,NO_SSLv2
>
>
> acl broken_sites ssl::server_name matchweb.sports.qq.com
> acl ssl_step1 at_step SslBump1
> acl ssl_step2 at_step SslBump2
> acl ssl_step3 at_step SslBump3
> ssl_bump splice broken_sites
> #ssl_bump splice all
> ssl_bump stare ssl_step1
> ssl_bump bump ssl_step2
> ssl_bump terminate ssl_step3
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
"Some people, when confronted with a problem, think «I know, I'll use regular expressions.» Now they have two problems."
--Jamie Zawinsk

**************************
* C++: Bug to the future *
**************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20171211/a6b88f7a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 512 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20171211/a6b88f7a/attachment.sig>

More information about the squid-users mailing list