[squid-users] Squid Version 3.5.20 Any Ideas

Yuri yvoinov at gmail.com
Wed Jul 19 21:15:14 UTC 2017 


20.07.2017 3:09, Cherukuri, Naresh пишет:
>
> Yuri,
>
>  
>
> I am new to squid I learned it through searching google. My question
> is I generated self-signed SSL certificates and install certificates
> on IE all clients. I didn’t install proxy public key. Can you tell me
> where  I have to put proxy public key on clients. Appreciate you help!
>
Ah. Based on my experience,

you require to take *public* proxy key (not private, your use keypair to
setup ssl-bump configuration; do not mistake it) and install it at least
into two places on client's PC:

1. Into system trusted CA storage (uses by IE/Chrome/some IM etc.)
2. Into Firefox own storage (if applicable).
3. Sometimes it is also required to setup proxy's CA public key into old
JRE existing on clients. But AFAIK modern JRE uses system CA's storage
and no more required this step.

Actually, this should be enough.
>
>  
>
> Thanks,
>
> Naresh
>
>  
>
> *From:*Yuri [mailto:yvoinov at gmail.com]
> *Sent:* Wednesday, July 19, 2017 5:06 PM
> *To:* Cherukuri, Naresh; squid-users at lists.squid-cache.org
> *Subject:* Re: [squid-users] Squid Version 3.5.20 Any Ideas
>
>  
>
> Related OpenSSL public CA bundle - in theory it should be installed
> together with OpenSSL.
>
>  
>
> 20.07.2017 2:49, Cherukuri, Naresh пишет:
>
>     Thanks Yuri for quick turnover!
>
>      
>
>     We inly installed root certificate on all clients. We didn’t
>     install proxy CA’s public key on clients. So you suggestion fix
>     that we need to install both certificate and proxy ca’s public key
>     on clients.
>
>      
>
>     Thanks,
>
>     Naresh
>
>      
>
>     *From:*squid-users
>     [mailto:squid-users-bounces at lists.squid-cache.org] *On Behalf Of *Yuri
>     *Sent:* Wednesday, July 19, 2017 2:25 PM
>     *To:* squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>
>     *Subject:* Re: [squid-users] Squid Version 3.5.20 Any Ideas
>
>      
>
>     One out of two. Either the Squid does not see the OpenSSL/system
>     root CAs bundle, or the proxy CA's public key is not installed in
>     the clients. It's all.
>
>      
>
>     19.07.2017 23:30, Walter H. пишет:
>
>         Hello,
>
>         this seems not to be the problem, as the error messages are in
>         cache.log, which is not a browser problem ...
>
>         the question: are the SSL bumped sites in intranet, which use
>         a self signed CA cert itself, which squid doesn't know?
>
>         On 19.07.2017 17:36, Yuri wrote:
>
>         http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
>
>         http://i.imgur.com/A153C7A.png
>
>          
>
>         19.07.2017 21:34, Cherukuri, Naresh пишет:
>
>             Hi All,
>
>              
>
>             I installed Squid version 3.5.20 on RHEL 7 and generated
>             self-signed CA certificates,  My users are complaining
>             about certificate errors. When I looked at cache.log I see
>             so many error messages like below. Below is my squid.conf
>             file. Any ideas how to address below errors.
>
>              
>
>
>
>
>             Cache.log
>
>              
>
>             2017/07/18 16:05:34 kid1| Error negotiating SSL connection
>             on FD 689: error:14094416:SSL
>             routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>             (1/0)
>
>             2017/07/18 16:05:34 kid1| Error negotiating SSL connection
>             on FD 1114: error:14094416:SSL
>             routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>             (1/0)
>
>             2017/07/18 16:05:37 kid1| Error negotiating SSL connection
>             on FD 146: error:14094416:SSL
>             routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>             (1/0)
>
>             2017/07/18 16:05:41 kid1| Error negotiating SSL connection
>             on FD 252: error:14094416:SSL
>             routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>             (1/0)
>
>             2017/07/18 16:05:41 kid1| Error negotiating SSL connection
>             on FD 36: error:14094416:SSL
>             routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>             (1/0)
>
>
>
>
>
>
>         _______________________________________________
>
>         squid-users mailing list
>
>         squid-users at lists.squid-cache.org
>         <mailto:squid-users at lists.squid-cache.org>
>
>         http://lists.squid-cache.org/listinfo/squid-users
>
>      
>
>  
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170720/7635a217/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170720/7635a217/attachment.sig>

More information about the squid-users mailing list