[squid-users] Squid 6.8 SSL_BUMP TLS Error

Rauch, Mario Mario.Rauch at dieboldnixdorf.com
Thu Apr 18 08:13:37 UTC 2024 

Hello,
We have created a DER version of the PEM certificate which Squid uses and imported this into client certificate store using script like this:
certmgr /add DN_SIGNATOR_CA.der /r localMachine /s root

DN_SIGNATOR_CA.der is the self signed certificate

Maybe there must be some additional or changed setting in config from 3.5 > 6.8 Squid version?
As I wrote on old server with Squid 3.5 and same certificate it worked. Should I attach both config files?

Regards,
Mario

Von: squid-users <squid-users-bounces at lists.squid-cache.org> Im Auftrag von Alex Rousskov
Gesendet: Mittwoch, 17. April 2024 19:53
An: squid-users at lists.squid-cache.org
Betreff: Re: [squid-users] Squid 6.8 SSL_BUMP TLS Error

On 2024-04-17 09: 07, Rauch, Mario wrote: > We are receiving following errors when clients > want to connect to specific website using ssl bump feature and self > signed certificate: > > 2024/04/17 14: 55: 15 kid1| ERROR: failure


On 2024-04-17 09:07, Rauch, Mario wrote:



> We are receiving following errors when clients

> want to connect to specific website using ssl bump feature and self

> signed certificate:

>

> 2024/04/17 14:55:15 kid1| ERROR: failure while accepting a TLS

> connection on conn275 local=185.229.91.169:3128

> remote=81.217.86.125:63673 FD 16 flags=1:

> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1

>

> Does somebody know what the problem could be?



$ openssl errstr A000418

error:0A000418:SSL routines::tlsv1 alert unknown ca



Looks like the client does not trust Squid certificate and tells Squid

about that lack of trust via a TLS alert. Did you configure the client

to trust the certificate your Squid is using for bumping client connections?





HTH,



Alex.





> With old Squid 3.5 it worked with almost same config and certificate.





_______________________________________________

squid-users mailing list

squid-users at lists.squid-cache.org<mailto:squid-users at lists.squid-cache.org>

https://urldefense.com/v3/__https://lists.squid-cache.org/listinfo/squid-users__;!!Gb9UCRAl!8v8DHhzXtUPSxAheCy_Rh2E-Sywz_Z-_afBDDwJUCCJ0ojG5KeBK_73nBnc3Uo6bz9cIuzHlHwrxDZNznVMO1E0k3oPcDpH5ysNH$<https://urldefense.com/v3/__https:/lists.squid-cache.org/listinfo/squid-users__;!!Gb9UCRAl!8v8DHhzXtUPSxAheCy_Rh2E-Sywz_Z-_afBDDwJUCCJ0ojG5KeBK_73nBnc3Uo6bz9cIuzHlHwrxDZNznVMO1E0k3oPcDpH5ysNH$>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240418/e726b780/attachment-0001.htm>

More information about the squid-users mailing list