<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
Hello, Amos… all
<div class=""><br class="">
</div>
<div class="">Yuri, thanks for the reply.</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Amos,</div>
<div class=""><br class="">
</div>
<div class="">I added: Thanks to Eliezer)</div>
<div class="">
<div class="">sslproxy_cert_error allow all</div>
<div class="">sslproxy_flags DONT_VERIFY_PEER</div>
<div class="">to the config file, I am not too worried about the verification since the accessed sites showing problems are government site or local paying services/partners.</div>
<div class=""><br class="">
</div>
<div class="">However, some sites are still showing the Handshake problem. <span class=""><a href="https://ibin.co" class="">https://ibin.co</a>/38uz8akvWayM.png</span></div>
<span class=""><br class="">
</span><span class="">You had previously replied to this saying:</span></div>
<div class=""><span class=""><br class="">
</span></div>
<div class=""><span class="">
<div class="">"If you actually read that error message it tells you exactly what the</div>
<div class="">problem is.</div>
<div class=""><br class="">
</div>
<div class="">"Handshake with SSL server failed: [blah blah codes]: dh key too small"</div>
<div class=""><br class="">
</div>
<div class="">The server is trying to use a Diffi-Helman cipher with a too-short key.</div>
<div class="">DH cipher with short keys has recently been broken. By recently I mean</div>
<div class="">about a whole year ago.”</div>
<div class=""><br class="">
</div>
<div class="">However, I still wonder what the solution is? is it possible to fix this? and who needs to fix it? is it a squid side error? is it an OS level error?</div>
<div class=""><br class="">
</div>
<div class="">Any more information is greatly appreciated.</div>
</span></div>
<div class=""><span class=""><br class="">
</span></div>
<div class=""><span class=""><br class="">
</span><span class=""><br class="">
</span><span class=""><br class="">
</span><span class=""><br class="">
</span><span class=""><br class="">
</span><span class="">
<div class="">Thanks again,</div>
<div class="">Sam</div>
</span></div>
<div class=""><br class="">
</div>
<br class="">
<blockquote type="cite" class="">On Jan 18, 2017, at 12:44 PM, Yuri Voinov <<a href="mailto:yvoinov@gmail.com" class="">yvoinov@gmail.com</a>> wrote:<br class="">
<br class="">
<br class="">
<br class="">
18.01.2017 23:40, Eliezer Croitoru пишет:<br class="">
<blockquote type="cite" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
Thanks for the detail Amos,<br class="">
<br class="">
I noticed that couple major Root CA certificates was revoked so it could be one thing.<br class="">
And can you give some more details on how to fetch the certificated using the openssl tools?<br class="">
(Maybe redirect towards an article about it)<br class="">
</blockquote>
There is no article about trivial things.<br class="">
<br class="">
root @ khorne / # openssl s_client -connect <a href="http://symantec.com" class="">symantec.com</a>:443<br class="">
CONNECTED(00000003)<br class="">
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =<br class="">
"(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class<br class="">
3 Public Primary Certification Authority - G5<br class="">
verify return:1<br class="">
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network,<br class="">
CN = Symantec Class 3 EV SSL CA - G3<br class="">
verify return:1<br class="">
depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 =<br class="">
Delaware, businessCategory = Private Organization, serialNumber =<br class="">
2158113, C = US, postalCode = 94043, ST = California, L = Mountain View,<br class="">
street = 350 Ellis Street, O = Symantec Corporation, OU = Symantec Web -<br class="">
Redir, CN = symantec.com<br class="">
verify return:1<br class="">
---<br class="">
Certificate chain<br class="">
0<br class="">
s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private<br class="">
Organization/serialNumber=2158113/C=US/postalCode=94043/ST=California/L=Mountain<br class="">
View/street=350 Ellis Street/O=Symantec Corporation/OU=Symantec Web -<br class="">
Redir/CN=symantec.com<br class="">
i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec<br class="">
Class 3 EV SSL CA - G3<br class="">
1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec<br class="">
Class 3 EV SSL CA - G3<br class="">
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006<br class="">
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public<br class="">
Primary Certification Authority - G5<br class="">
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006<br class="">
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public<br class="">
Primary Certification Authority - G5<br class="">
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006<br class="">
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public<br class="">
Primary Certification Authority - G5<br class="">
---<br class="">
Server certificate<br class="">
-----BEGIN CERTIFICATE-----<br class="">
MIIJ7jCCCNagAwIBAgIQGxlwar89MNsXoPlBKLC9ZjANBgkqhkiG9w0BAQsFADB3<br class="">
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd<br class="">
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxKDAmBgNVBAMTH1N5bWFudGVj<br class="">
IENsYXNzIDMgRVYgU1NMIENBIC0gRzMwHhcNMTYwNjEzMDAwMDAwWhcNMTcwNjEz<br class="">
MjM1OTU5WjCCARsxEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIB<br class="">
AgwIRGVsYXdhcmUxHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYD<br class="">
VQQFEwcyMTU4MTEzMQswCQYDVQQGEwJVUzEOMAwGA1UEEQwFOTQwNDMxEzARBgNV<br class="">
BAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxGTAXBgNVBAkM<br class="">
EDM1MCBFbGxpcyBTdHJlZXQxHTAbBgNVBAoMFFN5bWFudGVjIENvcnBvcmF0aW9u<br class="">
MR0wGwYDVQQLDBRTeW1hbnRlYyBXZWIgLSBSZWRpcjEVMBMGA1UEAwwMc3ltYW50<br class="">
ZWMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwRqh8lRuQgtO<br class="">
ZDvGmr2+JKD5dgS8do3CQttE0wUosst5uMBoI0JdWCcD+dBKBMf+5PD2TZie75qY<br class="">
Dwg4TPWhiJhLVDtriB4xPHIaI3l4HNyiC2QbCYIlNxiYBApEX3xi7V94ZJBiQGhD<br class="">
jBjVBlWTwYMgcEP+1ivUL0h/ShZOjcJaqdlvLrne7WFQVDzcGcezqXEovgl/63sB<br class="">
5tL0MDY5lpqUIllNLoMhk+o/NAu19NSQRTqVPmfSQZIQM/aki70LKQWmXzM7yjWk<br class="">
TYVfoqgj7zE9fwfyEZ3mdohSkxaNKdbnafCLHI6Yzc9t9wnnmYvBWDfTCSE+kdYC<br class="">
m/hEfFJaTQIDAQABo4IFzjCCBcowggNqBgNVHREEggNhMIIDXYIMc3ltYW50ZWMu<br class="">
Y29tggpub3J0b24uY29tggt2ZXJpdGFzLmNvbYISYWNjb3VudC5ub3J0b24uY29t<br class="">
ghRjYXJlZXJzLnN5bWFudGVjLmNvbYIZY3VzdG9tZXJjYXJlLnN5bWFudGVjLmNv<br class="">
bYIOZGUubm9ydG9uLm1vYmmCGmRvd25sb2Fkcy5ndWFyZGlhbmVkZ2UuY29tghFl<br class="">
bWVhLnN5bWFudGVjLmNvbYIQZXUuc3RvcmUucGdwLmNvbYIRam9icy5zeW1hbnRl<br class="">
Yy5jb22CFW1vc3RkYW5nZXJvdXN0b3duLmNvbYITbXlub3J0b25hY2NvdW50LmNv<br class="">
bYIQbmEuc3RvcmUucGdwLmNvbYIRbm9ydG9uYWNjb3VudC5jb22CFW5vcnRvbmxl<br class="">
YXJuaW5naHViLmNvbYIKbnVrb25hLmNvbYIRcm93LnN0b3JlLnBncC5jb22CEHNz<br class="">
bC5zeW1hbnRlYy5jb22CDXN0b3JlLnBncC5jb22CEHVrLnN0b3JlLnBncC5jb22C<br class="">
Fnd3dy5hY2NvdW50Lm5vcnRvbi5jb22CFXd3dy5lbWVhLnN5bWFudGVjLmNvbYIZ<br class="">
d3d3Lm1vc3RkYW5nZXJvdXN0b3duLmNvbYIVd3d3Lm5vcnRvbmFjY291bnQuY29t<br class="">
ghl3d3cubm9ydG9ubGVhcm5pbmdodWIuY29tgg53d3cubnVrb25hLmNvbYILd3d3<br class="">
LnBncC5jb22CFHd3dy5zc2wuc3ltYW50ZWMuY29tgg93d3cudmVyaXRhcy5jb22C<br class="">
End3dy5zeW1hbnRlYy5jby5qcIISd3d3LnN5bWFudGVjLmNvLnVrgg93d3cuc3lt<br class="">
YW50ZWMuZnKCD3d3dy5zeW1hbnRlYy5kZYIPd3d3LnN5bWFudGVjLml0ghN3d3cu<br class="">
c3ltYW50ZWMuY29tLmF1ghJ3d3cuc3ltYW50ZWMuY28ua3KCE3d3dy5zeW1hbnRl<br class="">
Yy5jb20uYnKCD3d3dy5zeW1hbnRlYy5teIIPd3d3LnN5bWFudGVjLmVzgg93d3cu<br class="">
c3ltYW50ZWMuY2GCD3d3dy5zeW1hbnRlYy5oa4ISd3d3LnN5bWFudGVjLmNvLmlu<br class="">
gg93d3cuc3ltYW50ZWMudHeCD3d3dy5zeW1hbnRlYy5zZzAJBgNVHRMEAjAAMA4G<br class="">
A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwbwYD<br class="">
VR0gBGgwZjAHBgVngQwBATBbBgtghkgBhvhFAQcXBjBMMCMGCCsGAQUFBwIBFhdo<br class="">
dHRwczovL2Quc3ltY2IuY29tL2NwczAlBggrBgEFBQcCAjAZDBdodHRwczovL2Qu<br class="">
c3ltY2IuY29tL3JwYTAfBgNVHSMEGDAWgBQBWavn3ToLWaZkY9bPIAdX1ZHnajAr<br class="">
BgNVHR8EJDAiMCCgHqAchhpodHRwOi8vc3Iuc3ltY2IuY29tL3NyLmNybDBXBggr<br class="">
BgEFBQcBAQRLMEkwHwYIKwYBBQUHMAGGE2h0dHA6Ly9zci5zeW1jZC5jb20wJgYI<br class="">
KwYBBQUHMAKGGmh0dHA6Ly9zci5zeW1jYi5jb20vc3IuY3J0MIIBBgYKKwYBBAHW<br class="">
eQIEAgSB9wSB9ADyAHcA3esdK3oNT6Ygi4GtgWhwfi6OnQHVXIiNPRHEzbbsvswA<br class="">
AAFVS+V56QAABAMASDBGAiEAlwG/vUrML+CkdGkmUuyjvTHeWMaIvR409GHqmKjC<br class="">
LAoCIQDSg0zyzCM7ORf0yF/ZaAqQpuWbm+mSSUXp6lRmP29BrwB3AKS5CZC0GFgU<br class="">
h7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABVUvlegwAAAQDAEgwRgIhAMimfbuI<br class="">
vtq3d1b5fbkjtmrZ5SKi0kI/7BX32AU3ApXOAiEAvVHUc3PNoZiUq5ryyQeqWR1q<br class="">
1j8QzHlUf8xeFVes7iMwDQYJKoZIhvcNAQELBQADggEBAB4Ve4SAScHpnOtq3I6m<br class="">
buH90PEoq0m9503ooEwywvZOeqQOQwDmqOJZsraznC70kmWlr5UY5Yd2eUph6IR+<br class="">
6VdaJQlfbMhGc60JVZi8Pewk+clo/CyX6CTmwwh0nJ2Q5blcgGRLvdWEOumK16ET<br class="">
MGV5VCXFWExTFYGleYvsAAH8AMYf3f+k9qB3vu6YljKzp1mv/NJL29kmhciY7oaR<br class="">
wLbzicQbK6uEuZfM7+HmM/bW0UGJPOHgpv+os6kQSSxx4w3BhizpIid4v+5VS+8o<br class="">
XLxAH5+bfEsaMQMNfEddxXT9Y/2Ly2IAr24EQn3s+SsdP9oc5dTTTVacikz3tQCA<br class="">
JfU=<br class="">
-----END CERTIFICATE-----<br class="">
subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private<br class="">
Organization/serialNumber=2158113/C=US/postalCode=94043/ST=California/L=Mountain<br class="">
View/street=350 Ellis Street/O=Symantec Corporation/OU=Symantec Web -<br class="">
Redir/CN=symantec.com<br class="">
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust<br class="">
Network/CN=Symantec Class 3 EV SSL CA - G3<br class="">
---<br class="">
No client certificate CA names sent<br class="">
---<br class="">
SSL handshake has read 5624 bytes and written 433 bytes<br class="">
---<br class="">
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA<br class="">
Server public key is 2048 bit<br class="">
Secure Renegotiation IS supported<br class="">
Compression: NONE<br class="">
Expansion: NONE<br class="">
SSL-Session:<br class="">
Protocol : TLSv1.2<br class="">
Cipher : ECDHE-RSA-AES128-SHA<br class="">
Session-ID:<br class="">
7ED48810D697DDAE5C591942755CF47E3D96431EC46C074641B5E1363ABE812E<br class="">
Session-ID-ctx:<br class="">
Master-Key:<br class="">
68B42DE89E49E2F16E7461853B9CD8F5393955C9A8C3B6DB27A560CD753669285C51FEA33C2324694F1AA43B833021E8<br class="">
Key-Arg : None<br class="">
PSK identity: None<br class="">
PSK identity hint: None<br class="">
SRP username: None<br class="">
Start Time: 1484761429<br class="">
Timeout : 300 (sec)<br class="">
Verify return code: 0 (ok)<br class="">
---<br class="">
^C<br class="">
<br class="">
That's all.<br class="">
<blockquote type="cite" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
I think that if some sites are have issues then a simple script that will run the openssl tools to fetch the certificates and add them to the system can be useful for those which are running 3.5 and yet to jump into the 4.0 testing.<br class="">
I can write the script that will do come of the work for these admins.<br class="">
<br class="">
Eliezer<br class="">
<br class="">
----<br class="">
Eliezer Croitoru<br class="">
Linux System Administrator<br class="">
Mobile: +972-5-28704261<br class="">
Email: eliezer@ngtech.co.il<br class="">
<br class="">
<br class="">
-----Original Message-----<br class="">
From: squid-users [mailto:squid-users-bounces@lists.squid-cache.org] On Behalf Of Amos Jeffries<br class="">
Sent: Wednesday, January 18, 2017 6:06 PM<br class="">
To: squid-users@lists.squid-cache.org<br class="">
Subject: Re: [squid-users] A bunch of SSL errors I am not sure why<br class="">
<br class="">
On 19/01/2017 3:29 a.m., Sameh Onaissi wrote:<br class="">
<blockquote type="cite" class="">Hello Eliezer, all<br class="">
<br class="">
Sorry for the late reply.<br class="">
<br class="">
When I configure the browser to access a non intercept port, the errors do not show up and the site is accessed without a problem.<br class="">
<br class="">
The client machine has the .crt file installed, but still shows the error.<br class="">
<br class="">
Other pages with errors:<br class="">
http://pasteboard.co/nA20FD7om.png<br class="">
http://pasteboard.co/nA2yWRyTE.png<br class="">
<br class="">
Here is the second page in a browser without an intercepted port:<br class="">
http://pasteboard.co/nA39CEFGU.png<br class="">
<br class="">
<br class="">
Thanks in advance.<br class="">
Some of these sites are used to pay company bills, so it’s important to get this issue resolves ASAP.<br class="">
</blockquote>
I assume from that first part that the most important of these sites are a small enough set to deal with as a special case without becoming a maintenance nightmare.<br class="">
<br class="">
The error messages both show that Squid at least cannot find one of the CA required to verify the servers cert.<br class="">
<br class="">
Soo...<br class="">
you can probably use the openssl client tool to identify and fetch the certs manually; then<br class="">
<br class="">
1a) add the root CA (only if needed) into your machines global CA set,<br class="">
<br class="">
1b) add any intermediary certs to the file Squid loads through sslproxy_foreign_intermediate_certs directive.<br class="">
<http://www.squid-cache.org/Doc/config/sslproxy_foreign_intermediate_certs/><br class="">
<br class="">
OR<br class="">
<br class="">
2) create a cache_peer to the domains server port 443, using the originserver option and sslcafile= option to specify what its CA chain is supposed to be.<br class="">
<http://www.squid-cache.org/Doc/config/cache_peer/><br class="">
<br class="">
<br class="">
<blockquote type="cite" class="">Worth mentioning that this was not a problem about 10 days ago.<br class="">
</blockquote>
Nod, these types of things can appear out of nowhere as servers certs expire or get blacklisted, ciphers etc suddenly get rejected by browsers as insecure. TLS advocates deny it, but F*ups happen far too often in reality when dealing with certs.<br class="">
<br class="">
<br class="">
<blockquote type="cite" class=""><br class="">
* Try the latest Squid-4, which can auto-download intermediate certificates.<br class="">
<br class="">
Is squid-4 stable for production?<br class="">
<br class="">
</blockquote>
Sorry I missed this in your earlier post.<br class="">
<br class="">
Well strictly speaking no. It still has a handful of critical bugs to be tracked down and quashed. But whether those affect you, or if they do whether its worth an occasional crash to avoid these SSL isues is a different matter.<br class="">
<br class="">
Amos<br class="">
<br class="">
_______________________________________________<br class="">
squid-users mailing list<br class="">
squid-users@lists.squid-cache.org<br class="">
http://lists.squid-cache.org/listinfo/squid-users<br class="">
<br class="">
_______________________________________________<br class="">
squid-users mailing list<br class="">
squid-users@lists.squid-cache.org<br class="">
http://lists.squid-cache.org/listinfo/squid-users<br class="">
</blockquote>
<br class="">
-- <br class="">
OpenSource should be called "Fifty shades of Brown"<br class="">
<span id="cid:5D5808C1-6694-4AEC-8424-BA5517748C10"><0x613DEC46.asc></span>_______________________________________________<br class="">
squid-users mailing list<br class="">
squid-users@lists.squid-cache.org<br class="">
http://lists.squid-cache.org/listinfo/squid-users<br class="">
</blockquote>
<br class="">
</body>
</html>