[squid-users] FW: Encrypted browser-Squid connection errors

Alex Rousskov rousskov at measurement-factory.com
Fri Oct 14 17:34:06 UTC 2022 

On 10/14/22 10:32, LEMRAZZEQ, Wadie wrote:
> I tried to implement this on a dockerized Alpine, and a squid 5.5 with openssl module

FWIW, Squid v5.5 is unusable in many environments -- too many bugs. Use 
v5.7 or later. I do not know whether one of those bugs are responsible 
for the specific problem you are discussing though.


> in squid.conf, I have:
> 
> ...
> 
> http_port 3128
> 
> https_port 3129 cert=/etc/squid/crt.pem key=/etc/squid/key.pem

OK.


> but when I request squid https port, I got this error every time, in 
> cache.log:

_How_ do you "request squid https port"?


> ERROR: failure while accepting a TLS connection on conn77 
> local=172.17.0.2:3129 remote=172.17.0.1:56608 FD 12 flags=1: 
> 
> connection: conn77 local=172.17.0.2:3129 remote=172.17.0.1:56608 FD 12 flags=1
> 
> Error.cc(22) update: recent: 
> ERR_SECURE_ACCEPT_FAIL/SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=1408F09B+TLS_IO_ERR=1

According to "openssl errstr", that OpenSSL error is:

     error:1408F09B:SSL routines:ssl3_get_record:https proxy request


Most likely, the client is sending a plain text CONNECT request before 
encrypting the TLS connection to the HTTPS proxy. In other words, the 
client thinks it is talking to an HTTP proxy while you want it to think 
that it is talking to an HTTPS proxy. For example,

* HTTP proxy:  curl -x http://172.17.0.2:3128/ ... https://example.com
* HTTPS proxy: curl -x https://172.17.0.2:3129/ ... https://example.com


HTH,

Alex.




> ...
> 
> I also tried this with squid 4.10 with gnutls module, in an Ubuntu 20.40 
> environment, with the same squid.conf, and I got again a TLS error
> 
> ...
> 
> client_side.cc(2597) tlsAttemptHandshake: Error negotiating TLS on 
> local=x.x.x.x:3129 remote=x.x.x.x:50874 FD 11 flags=1: Aborted by 
> client: An unexpected TLS packet was received.
> 
> ...
> 
> I used for certificates, a self signed one, and a generated certificate 
> signed by our CA, for both scenarios
> 
> Also, I tried multiple https_port options (disable some SSL 
> implementation, manipulation of client certificates...) but without success

More information about the squid-users mailing list