<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Hi All,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal">I installed Squid version 3.5.20 on RHEL 7 and generated self-signed CA certificates, My users are complaining about certificate errors. When I looked at cache.log I see so many error messages like below. Below is my squid.conf file. Any
ideas how to address below errors.<o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Squid.conf:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">max_filedesc 4096<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">visible_hostname pctysqd2prod<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">logfile_rotate 10<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">access_log stdio:/var/log/squid/access.log squid<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl localnet src 172.16.0.0/16<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl backoffice_users src 10.136.0.0/13<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl hcity_backoffice_users src 10.142.0.0/15<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl register_users src 10.128.0.0/13<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl hcity_register_users src 10.134.0.0/15<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl partycity url_regex partycity<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl SSL_ports port 443<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl Safe_ports port 80 # http<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#acl Safe_ports port 21 # ftp<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl Safe_ports port 443 # https<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#acl Safe_ports port 70 # gopher<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#acl Safe_ports port 210 # wais<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#acl Safe_ports port 1025-65535 # unregistered ports<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#acl Safe_ports port 280 # http-mgmt<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#acl Safe_ports port 488 # gss-http<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#acl Safe_ports port 591 # filemaker<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#acl Safe_ports port 777 # multiling http<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl CONNECT method CONNECT<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#acl allowed_sites {dst|dstdomain|dstdom_regex|url_regex) "/path/to/file"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl backoffice_allowed_sites url_regex "/etc/squid/backoffice_allowed_sites"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl hcity_backoffice_allowed_sites url_regex "/etc/squid/backoffice_allowed_sites"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl backoffice_blocked_sites url_regex "/etc/squid/backoffice_blocklist"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl hcity_backoffice_blocked_sites url_regex "/etc/squid/backoffice_blocklist"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl register_allowed_sites url_regex "/etc/squid/register_allowed_sites"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl hcity_register_allowed_sites url_regex "/etc/squid/hcity_register_allowed_sites"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">http_access allow localnet register_allowed_sites<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">http_access deny backoffice_users backoffice_blocked_sites<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">http_access deny hcity_backoffice_users backoffice_blocked_sites<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">http_access allow backoffice_users backoffice_allowed_sites<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">http_access allow hcity_backoffice_users backoffice_allowed_sites<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">http_access allow register_users register_allowed_sites<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">http_access allow hcity_register_users hcity_register_allowed_sites<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">no_cache deny partycity<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">http_access deny all<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#http_access allow manager localhost<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#http_access deny manager<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"># Deny requests to certain unsafe ports<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">http_access deny !Safe_ports<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"># Deny CONNECT to other than secure SSL ports<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#http_access deny CONNECT !SSL_ports<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">http_access allow CONNECT SSL_ports<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"># We strongly recommend the following be uncommented to protect innocent<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"># web applications running on the proxy server who think the only<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"># one who can access services on "localhost" is a local user<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">http_access deny to_localhost<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"># Example rule allowing access from your local networks.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"># Adapt localnet in the ACL section to list your (internal) IP networks<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"># from where browsing should be allowed<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#http_access allow localnet<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">http_access allow localhost<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"># And finally deny all other access to this proxy<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">http_access deny all<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"># Squid normally listens to port 3128<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">http_port 3128 ssl-bump \<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">key=/etc/squid/pctysquid2sslcerts/pctysquid2prod.pkey \<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">cert=/etc/squid/pctysquid2sslcerts/pctysquid2prod.crt \<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">generate-host-certificates=on dynamic_cert_mem_cache_size=4MB<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl step1 at_step SslBump1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">ssl_bump peek step1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">ssl_bump bump all<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">sslproxy_cert_error allow all<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">always_direct allow all<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">sslproxy_flags DONT_VERIFY_PEER<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"># Uncomment and adjust the following to add a disk cache directory.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#cache_dir ufs /cache/squid 10000 16 256<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"># Leave coredumps in the first cache dir<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#rdescoredump_dir /var/spool/squid<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">coredump_dir /var/log/squid/squid<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"># Add any of your own refresh_pattern entries above these.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">refresh_pattern ^ftp: 1440 20% 10080<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">refresh_pattern ^gopher: 1440 0% 1440<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">refresh_pattern . 0 20% 4320<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#url_rewrite_access allow all<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Cache.log<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 689: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 1114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD 146: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 252: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 36: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)<o:p></o:p></span></p>
</div>
</body>
</html>