<div dir="ltr">Amos,<div><div>Thank you for your reply.</div></div><div>I have version 3.5.12 compiled with Debian rules example provided here,</div><div><a href="http://docs.diladele.com/administrator_guide_4_5/install/ubuntu14/tools.html">http://docs.diladele.com/administrator_guide_4_5/install/ubuntu14/tools.html</a><br></div><div><br></div><div>Do you think I could patch squid from 3.5.12 to 3.5.21 via patches available at <a href="http://www.squid-cache.org/Versions/v3/3.5/">http://www.squid-cache.org/Versions/v3/3.5/</a></div><div>Or I could download tar.gz file and replace files from that folder to Debian source folder ?</div><div><br></div><div>do i need any extra tools to build squid 3.5.21?</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Sep 20, 2016 at 3:58 PM, Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On 20/09/2016 4:42 a.m., Hardik Dangar wrote:<br>
> Hello,<br>
><br>
> I am using squid 3.5.12(detailed version info is below) on Ubuntu 16.04.1<br>
> LTS server. My squid config is at, <a href="http://pastebin.com/raw/b8RZ67u9" rel="noreferrer" target="_blank">http://pastebin.com/raw/<wbr>b8RZ67u9</a><br>
><br>
> I have configured squid as intercept proxy bumping all SSL https<br>
> connections. Setup is working fine for many things like browsing,<br>
> even on command line like wget i can download via https as i have installed<br>
> root certificate within my client os.<br>
><br>
> My issue is whenever i try to add extra repository via command, i.e.<br>
> sudo add-apt-repository ppa:ondrej/php<br>
> command fails with output "Cannot add PPA: 'ppa:~ondrej/ubuntu/php'.<wbr>ERROR:<br>
> '~ondrej' user or team does not exist." and in squid's cache and access.log<br>
> following entries can be located for this request,<br>
><br>
> ==> /var/log/squid/access.log <==<br>
> 1474302162.378 439 192.168.1.66 TAG_NONE/200 0 CONNECT <a href="http://91.189.89.223:443" rel="noreferrer" target="_blank">91.189.89.223:443</a><br>
> - ORIGINAL_DST/<a href="http://91.189.89.223" rel="noreferrer" target="_blank">91.189.89.223</a> -<br>
><br>
> ==> /var/log/squid/cache.log <==<br>
> 2016/09/19 21:52:42 kid1| Error negotiating SSL connection on FD 21:<br>
> error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (1/0)<br>
> 2016/09/19 21:52:42 kid1| hold write on SSL connection on FD 22<br>
><br>
> ==> /var/log/squid/access.log <==<br>
> 1474302162.885 403 192.168.1.66 TAG_NONE/200 0 CONNECT <a href="http://91.189.89.223:443" rel="noreferrer" target="_blank">91.189.89.223:443</a><br>
> - ORIGINAL_DST/<a href="http://91.189.89.223" rel="noreferrer" target="_blank">91.189.89.223</a> -<br>
><br>
> ==> /var/log/squid/cache.log <==<br>
> 2016/09/19 21:52:42 kid1| Error negotiating SSL connection on FD 21:<br>
> error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (1/0)<br>
><br>
> in the above output 192.168.1.66 is my client requesting that request and<br>
> as you can see in cache.log there is certificate negotiation error. I have<br>
> tried to fiddle with all options provided at <a href="http://wiki.squid-cache.org/" rel="noreferrer" target="_blank">http://wiki.squid-cache.org/</a><br>
> ConfigExamples/Intercept/<wbr>SslBumpExplicit but it seems i am out of luck<br>
> after almost half of my day battling this issue.<br>
><br>
> Can someone tell me they are successful with this issue? if so can you<br>
> share your squid.conf relevant section?<br>
><br>
> $ squid -v<br>
> Squid Cache: Version 3.5.12<br>
<br>
</div></div>Ubuntu Squid package does not build with SSL functionality.<br>
<br>
When re-building your Squid with SSL-Bump features it is important to<br>
always use teh very latest Squid release. SSL/TLS and bumping are part<br>
of an ongoing arms race situation. Things are constantly changing and<br>
software from as little as a year ago is unlikly to work 100% well with<br>
intercepting ('bumping') encryption from today.<br>
<br>
First thing to try is to rebuild with squid 3.5.20 or .21 and see if the<br>
problem remains.<br>
<br>
Amos<br>
<br>
______________________________<wbr>_________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.<wbr>org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/<wbr>listinfo/squid-users</a><br>
</blockquote></div><br></div>