[squid-users] Squid Version 3.5.20 Any Ideas

Amos Jeffries squid3 at treenet.co.nz
Thu Jul 20 00:55:09 UTC 2017 

On 20/07/17 09:10, Yuri wrote:
> Aha,
> 
> 
> 20.07.2017 3:04, Cherukuri, Naresh пишет:
>>
>> Yuri,
>>
>> I am sorry I didn’t get you I already installed certificate on all 
>> clients(trusted root certificate authorities). You want me install 
>> proxy public key also on clients, if so were should I put the proxy 
>> public key. Below is my squid.conf file.
>>
>> Squid.conf
>>
>> key=/etc/squid/pctysquid2sslcerts/pctysquid2prod.pkey \ proxy ca 
>> public key??
>>
> This is proxy private key AFAIK.

Correct. It should be the proxy private key. If the public key is put in 
there and startup actually succeeds I'm not sure what broken runtime 
errors will occur - nothing good anyhow.

Also, note that cert= parameter should be configured *before* the key= 
parameter so Squid loads them from the right place. The very latest 
releases (v4+) will fail to start if the ordering is wrong, so best to 
prepare for that now.


I suspect that part of the problem here is what is being configured in 
that cert= parameter. For SSL-Bump ports in current Squid it needs to 
contains the self-signed *CA* certificate that Squid is using to 
generate other certs from, the key= being the private key of that CA cert.

If you generate a regular proxy cert and load it there (like normal 
proxy cert= would use) the bumping process will get all broken.


The ConfigExample page Yuri linked to earlier had the exact and full 
process to follow for setting up the multiple different certs, keys and 
file types involved with SSL-Bump.


>>
>> cert=/etc/squid/pctysquid2sslcerts/pctysquid2prod.crt \(installed 
>> certificate on IE all clients as a trusted root certificate authorities)
>>
> Yes, if it installed into clients - this is ok.
> 
> So. The only reason I can see - proxy can't see OpenSSL CA's bundle.
> 
> To make it work you should add to your squid's config one of this:
> 
> #  TAG: sslproxy_cafile
> #    file containing CA certificates to use when verifying server
> #    certificates while proxying https:// URLs
> #Default:
> # none
> 
> #  TAG: sslproxy_capath
> #    directory containing CA certificates to use when verifying
> #    server certificates while proxying https:// URLs
> #Default:
> # none

Er, those are for Squid->server connections. You were correct about the 
errors referring to client->Squid connections, so these are irrelevant.

If anything, the  cafile= parameter of the ssl-bump port might be 
needed. Then it should point at the same CA's found in the cert= 
parameter (bit weird, but that is bugs in the SSL-Bump config design).

FTR: those particular errors occur when Squid accepts a connection from 
a client, begins the TLS handshake and the client suddenly disconnects 
before the handshake is complete.
  The "certificate unknown" seems to be saying that either 1) the client 
sent a client-cert to Squid and OpenSSL did not accept it, or 2) that 
the client did not accept the auto-generated cert Squid sent.

If (1) is happening it s because the browser was not correctly 
configured with the self-signed CA public cert.

If (2) is happening, then probably the cert=, key=, cafile= parameters 
on the ssl-bump port are not configured right, OR browser was not 
correctly configured with the self-signed CA public cert.

Or, maybe bugs in that particular Squid release SSL-Bump code. We are 
constantly fixing them and 3.5.20 is now a whole year behind with 
SSL-Bump fixes - many of them rather major behaviour fixes.


==> Best Practice to follow with SSL-Bump is that when having *any* 
problems with the SSL-Bump process try the latest Squid release first 
before spending time trying to figure it out.

Amos

More information about the squid-users mailing list