[squid-users] squid 3.5 reverse proxy https configuration problem

sjmeyer sjmeyer at us.ibm.com
Wed May 20 16:20:41 UTC 2020 

I have a squid configured as a reverse proxy on RHEL 7.8

the certificates on the squid box seem okay the squid -k parse passes,
however when I attempt to access the back-end server via squid I get

 Error negotiating SSL connection on FD 13: error:14094416:SSL
routines:ssl3_read_bytes:sslv3 alert certificate unknown (1/0)

It'd my understanding to resolve the SSL error I need to add the CA of the
backend sever to the RHEL trust store - I have done that, copied the ca to
/etc/pki/ca-trust/source/anchors/
ran update-ca-trust extract,
confirmed the CA is in the file
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

however no change. I have seen references to the ssl_crtd project however
from the examples I've seen that isn't required. is this my issue?

Contents of my squid.conf file are below, would appreciate
# reverse proxy site
#
acl localnet src 10.0.0.0/8
# - debug options
# 0 client database
# 1 start up and main loop
# 2 Unlink Daemon
# 3 configuration file parsing
# 4 error generation
# 5 socket functions
# 11 HTTP
# 23 URL parsing
debug_options All,1 9


acl SSL_ports port 5443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 8902
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 5443
acl Safe_ports port 1025-65535
acl CONNECT method CONNECT


http_port 3128 transparent

http_access allow Safe_ports
#http_access deny !Safe_ports

http_access allow localnet




https_port 5443 accel defaultsite=10.234.48.183
cert=/etc/squid/tls/devi_public.pem key=/etc/squid/tls/devi_private.key
cafile=/etc/squid/tls/devi_ca.crt vhost


sslproxy_options NO_SSLv2:NO_SSLv3:NO_TLSv1:NO_TLSv1_1




cache_peer 10.234.49.188 parent 5443 0 no-query originserver ssl
sslflags=DONT_VERIFY_PEER connection-auth=off name=dev-api

acl BrokenButTrustedServers dstdomain 10.234.49.188 devi.mlms.cms.gov
#sslproxy_cert_error allow BrokenButTrustedServers
sslproxy_cert_error allow all
#sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER

#ssl_bump splice #localhost
# configure backend

acl our_sites dstdomain dev.app.lb.local 10.234.49.188
http_access allow our_sites
cache_peer_access dev-int allow our_sites
cache_peer_access dev-api allow our_sites



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html

More information about the squid-users mailing list