[squid-users] Squid Version 3.5.20 Any Ideas

Yuri yvoinov at gmail.com
Wed Jul 19 21:10:10 UTC 2017 

Aha,


20.07.2017 3:04, Cherukuri, Naresh пишет:
>
> Yuri,
>
>  
>
> I am sorry I didn’t get you I already installed certificate on all
> clients(trusted root certificate authorities). You want me install
> proxy public key also on clients, if so were should I put the proxy
> public key. Below is my squid.conf file.
>
>  
>
> Squid.conf
>
> key=/etc/squid/pctysquid2sslcerts/pctysquid2prod.pkey \ proxy ca
> public key??
>
This is proxy private key AFAIK.
>
> cert=/etc/squid/pctysquid2sslcerts/pctysquid2prod.crt \(installed
> certificate on IE all clients as a trusted root certificate authorities)
>
Yes, if it installed into clients - this is ok.

So. The only reason I can see - proxy can't see OpenSSL CA's bundle.

To make it work you should add to your squid's config one of this:

#  TAG: sslproxy_cafile
#    file containing CA certificates to use when verifying server
#    certificates while proxying https:// URLs
#Default:
# none

#  TAG: sslproxy_capath
#    directory containing CA certificates to use when verifying
#    server certificates while proxying https:// URLs
#Default:
# none

Proxy also should know about CA's uses for connection verification.

>  
>
>  
>
> *From:*Yuri [mailto:yvoinov at gmail.com]
> *Sent:* Wednesday, July 19, 2017 4:55 PM
> *To:* Cherukuri, Naresh; squid-users at lists.squid-cache.org
> *Subject:* Re: [squid-users] Squid Version 3.5.20 Any Ideas
>
>  
>
> No. Only proxy's CA public key. Private should remains on proxy only.
>
>  
>
> 20.07.2017 2:49, Cherukuri, Naresh пишет:
>
>     Thanks Yuri for quick turnover!
>
>      
>
>     We inly installed root certificate on all clients. We didn’t
>     install proxy CA’s public key on clients. So you suggestion fix
>     that we need to install both certificate and proxy ca’s public key
>     on clients.
>
>      
>
>     Thanks,
>
>     Naresh
>
>      
>
>     *From:*squid-users
>     [mailto:squid-users-bounces at lists.squid-cache.org] *On Behalf Of *Yuri
>     *Sent:* Wednesday, July 19, 2017 2:25 PM
>     *To:* squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>
>     *Subject:* Re: [squid-users] Squid Version 3.5.20 Any Ideas
>
>      
>
>     One out of two. Either the Squid does not see the OpenSSL/system
>     root CAs bundle, or the proxy CA's public key is not installed in
>     the clients. It's all.
>
>      
>
>     19.07.2017 23:30, Walter H. пишет:
>
>         Hello,
>
>         this seems not to be the problem, as the error messages are in
>         cache.log, which is not a browser problem ...
>
>         the question: are the SSL bumped sites in intranet, which use
>         a self signed CA cert itself, which squid doesn't know?
>
>         On 19.07.2017 17:36, Yuri wrote:
>
>         http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
>
>         http://i.imgur.com/A153C7A.png
>
>          
>
>         19.07.2017 21:34, Cherukuri, Naresh пишет:
>
>             Hi All,
>
>              
>
>             I installed Squid version 3.5.20 on RHEL 7 and generated
>             self-signed CA certificates,  My users are complaining
>             about certificate errors. When I looked at cache.log I see
>             so many error messages like below. Below is my squid.conf
>             file. Any ideas how to address below errors.
>
>              
>
>
>
>
>             Cache.log
>
>              
>
>             2017/07/18 16:05:34 kid1| Error negotiating SSL connection
>             on FD 689: error:14094416:SSL
>             routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>             (1/0)
>
>             2017/07/18 16:05:34 kid1| Error negotiating SSL connection
>             on FD 1114: error:14094416:SSL
>             routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>             (1/0)
>
>             2017/07/18 16:05:37 kid1| Error negotiating SSL connection
>             on FD 146: error:14094416:SSL
>             routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>             (1/0)
>
>             2017/07/18 16:05:41 kid1| Error negotiating SSL connection
>             on FD 252: error:14094416:SSL
>             routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>             (1/0)
>
>             2017/07/18 16:05:41 kid1| Error negotiating SSL connection
>             on FD 36: error:14094416:SSL
>             routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>             (1/0)
>
>
>
>
>
>
>         _______________________________________________
>
>         squid-users mailing list
>
>         squid-users at lists.squid-cache.org
>         <mailto:squid-users at lists.squid-cache.org>
>
>         http://lists.squid-cache.org/listinfo/squid-users
>
>      
>
>  
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170720/053a3e65/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170720/053a3e65/attachment-0001.sig>

More information about the squid-users mailing list