[squid-users] Squid 6.8 SSL_BUMP TLS Error

Alex Rousskov rousskov at measurement-factory.com
Thu Apr 18 21:16:39 UTC 2024 

On 2024-04-18 04:13, Rauch, Mario wrote:

> We have created a DER version of the PEM certificate which Squid uses 
> and imported this into client certificate store using script like this:
> 
> certmgr /add DN_SIGNATOR_CA.der /r localMachine /s root
> 
> DN_SIGNATOR_CA.der is the self signed certificate

There is no practical way for me to verify that the above steps have the 
desired result. However, _you_ can verify that by, for example, using 
OpenSSL s_server configured with a certificate signed by DN_SIGNATOR_CA. 
Does the client trust that test server?

Can you verify that your client is getting a certificate signed by 
DN_SIGNATOR_CA? Depending on TLS version, it may be possible to do that 
using Wireshark or a similar packet capture analysis tool. If you can 
run OpenSSL s_client or a similar test client, it can also tell you what 
certificate(s) it is getting from Squid.


> Maybe there must be some additional or changed setting in config from 
> 3.5 > 6.8 Squid version?

Lots of things changed since Squid v3. Others may be able to guide you 
through those changes, but I cannot. That is why I am focusing on 
solving your problem in v6 (rather than trying to figure out what change 
triggered that problem).


> As I wrote on old server with Squid 3.5 and same certificate it worked. 
> Should I attach both config files?

Personally, I am not interested in Squid v3 configuration. Seeing your 
ssl_bump rules for v6 may be useful (especially if you know for sure 
which rules have matched for the test transaction), but I would _start_ 
by checking that Squid is sending the certificate(s) you think it is 
sending.


HTH,

Alex.


> *Von:*squid-users <squid-users-bounces at lists.squid-cache.org> *Im 
> Auftrag von *Alex Rousskov
> *Gesendet:* Mittwoch, 17. April 2024 19:53
> *An:* squid-users at lists.squid-cache.org
> *Betreff:* Re: [squid-users] Squid 6.8 SSL_BUMP TLS Error
> 
> On 2024-04-17 09: 07, Rauch, Mario wrote: > We are receiving following 
> errors when clients > want to connect to specific website using ssl bump 
> feature and self > signed certificate: > > 2024/04/17 14: 55: 15 kid1| 
> ERROR: failure
> 
> On 2024-04-17 09:07, Rauch, Mario wrote:
> 
>> We are receiving following errors when clients 
> 
>> want to connect to specific website using ssl bump feature and self 
> 
>> signed certificate:
> 
>> 
> 
>> 2024/04/17 14:55:15 kid1| ERROR: failure while accepting a TLS 
> 
>> connection on conn275 local=185.229.91.169:3128 
> 
>> remote=81.217.86.125:63673 FD 16 flags=1: 
> 
>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
> 
>> 
> 
>> Does somebody know what the problem could be?
> 
> $ openssl errstr A000418
> 
> error:0A000418:SSL routines::tlsv1 alert unknown ca
> 
> Looks like the client does not trust Squid certificate and tells Squid
> 
> about that lack of trust via a TLS alert. Did you configure the client
> 
> to trust the certificate your Squid is using for bumping client connections?
> 
> HTH,
> 
> Alex.
> 
>> With old Squid 3.5 it worked with almost same config and certificate.
> 
> _______________________________________________
> 
> squid-users mailing list
> 
> squid-users at lists.squid-cache.org <mailto:squid-users at lists.squid-cache.org>
> 
> https://urldefense.com/v3/__https://lists.squid-cache.org/listinfo/squid-users__;!!Gb9UCRAl!8v8DHhzXtUPSxAheCy_Rh2E-Sywz_Z-_afBDDwJUCCJ0ojG5KeBK_73nBnc3Uo6bz9cIuzHlHwrxDZNznVMO1E0k3oPcDpH5ysNH$ <https://urldefense.com/v3/__https:/lists.squid-cache.org/listinfo/squid-users__;!!Gb9UCRAl!8v8DHhzXtUPSxAheCy_Rh2E-Sywz_Z-_afBDDwJUCCJ0ojG5KeBK_73nBnc3Uo6bz9cIuzHlHwrxDZNznVMO1E0k3oPcDpH5ysNH$>
>

More information about the squid-users mailing list