[squid-users] Squid 4.1 Error negotiating SSL connection

Julian Perconti vh1988 at yahoo.com.ar
Wed Jul 4 00:06:42 UTC 2018


Hi all,

 

I have installed squid 4.1 on debian 9 with openssl 1.1.0f on transparent
mode.

 

I need to know how to track this error: (debbuging options is almost
impossible i mean examine the FD, etc.)

 

kid1| Error negotiating SSL connection on FD 19:
error:00000001:lib(0):func(0):reason(1) (1/-1)

 

There are a lot of them in cache.log when mobile devices uses (unsuccefully)
apps like instagram/Pinterest/Facebook/twitter, etc.

 

Neither is a "cipher-out" problem because I just tried: tls_outgoing_options
cipher=ALL (only for testing)

 

>From any PC those sites works well. So there is not a certificate missing
problem.

 

Here a copy of most relevant config: 

 

=================CFG==================

 

http_port 3128

http_port 3129 intercept

https_port 3130 intercept ssl-bump \

  cert=/etc/squid/ssl_cert/squid4ssl.pem \

  key=/etc/squid/ssl_cert/squid4ssl.pem \

  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

 

sslcrtd_program /lib/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB

 

tls_outgoing_options cafile=/etc/ssl/certs/ca-certificates.crt

tls_outgoing_options cafile=/etc/squid/ssl_cert/cabundle.pem

tls_outgoing_options options=NO_SSLv3

tls_outgoing_options
cipher=ALL:!SSLv2:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL
:!eNULL

 

acl step1 at_step SslBump1

acl step2 at_step SslBump2

acl step3 at_step SslBump3

 

acl noBumpSites ssl::server_name_regex -i "/etc/squid/url.nobump"

 

ssl_bump peek step1 all             

ssl_bump peek step2 noBumpSites     

ssl_bump splice step3 noBumpSites   

ssl_bump stare step2                

ssl_bump bump step3             

 

# cache ram

cache_mem 1024 MB

=================CFG==================

 

And so on..

 

Any suggestiong on the config above? Or a workaround the problem mentioned?

 

Thank you all!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180703/8f141a7e/attachment.html>


More information about the squid-users mailing list