<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><a class="moz-txt-link-freetext" href="http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit">http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit</a></p>
<p><a class="moz-txt-link-freetext" href="http://i.imgur.com/A153C7A.png">http://i.imgur.com/A153C7A.png</a><br>
</p>
<br>
<div class="moz-cite-prefix">19.07.2017 21:34, Cherukuri, Naresh
пишет:<br>
</div>
<blockquote type="cite"
cite="mid:89638057A560FB458C01C197F81C7F5D13F32404@PACERS.amscan.corp">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Hi All,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal">I installed Squid version 3.5.20 on RHEL 7
and generated self-signed CA certificates, My users are
complaining about certificate errors. When I looked at
cache.log I see so many error messages like below. Below is my
squid.conf file. Any ideas how to address below errors.<o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Squid.conf:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">max_filedesc
4096<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">visible_hostname
pctysqd2prod<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">logfile_rotate
10<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">access_log
stdio:/var/log/squid/access.log squid<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl localnet
src 172.16.0.0/16<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl
backoffice_users src 10.136.0.0/13<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl
hcity_backoffice_users src 10.142.0.0/15<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl
register_users src 10.128.0.0/13<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl
hcity_register_users src 10.134.0.0/15<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl partycity
url_regex partycity<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl SSL_ports
port 443<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl Safe_ports
port 80 # http<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#acl Safe_ports
port 21 # ftp<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl Safe_ports
port 443 # https<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#acl Safe_ports
port 70 # gopher<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#acl Safe_ports
port 210 # wais<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#acl Safe_ports
port 1025-65535 # unregistered ports<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#acl Safe_ports
port 280 # http-mgmt<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#acl Safe_ports
port 488 # gss-http<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#acl Safe_ports
port 591 # filemaker<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#acl Safe_ports
port 777 # multiling http<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl CONNECT
method CONNECT<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#acl
allowed_sites {dst|dstdomain|dstdom_regex|url_regex)
"/path/to/file"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl
backoffice_allowed_sites url_regex
"/etc/squid/backoffice_allowed_sites"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl
hcity_backoffice_allowed_sites url_regex
"/etc/squid/backoffice_allowed_sites"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl
backoffice_blocked_sites url_regex
"/etc/squid/backoffice_blocklist"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl
hcity_backoffice_blocked_sites url_regex
"/etc/squid/backoffice_blocklist"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl
register_allowed_sites url_regex
"/etc/squid/register_allowed_sites"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl
hcity_register_allowed_sites url_regex
"/etc/squid/hcity_register_allowed_sites"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">http_access
allow localnet register_allowed_sites<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">http_access
deny backoffice_users backoffice_blocked_sites<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">http_access
deny hcity_backoffice_users backoffice_blocked_sites<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">http_access
allow backoffice_users backoffice_allowed_sites<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">http_access
allow hcity_backoffice_users backoffice_allowed_sites<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">http_access
allow register_users register_allowed_sites<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">http_access
allow hcity_register_users hcity_register_allowed_sites<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">no_cache deny
partycity<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">http_access
deny all<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#http_access
allow manager localhost<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#http_access
deny manager<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"># Deny requests
to certain unsafe ports<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">http_access
deny !Safe_ports<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"># Deny CONNECT
to other than secure SSL ports<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#http_access
deny CONNECT !SSL_ports<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">http_access
allow CONNECT SSL_ports<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"># We strongly
recommend the following be uncommented to protect innocent<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"># web
applications running on the proxy server who think the only<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"># one who can
access services on "localhost" is a local user<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">http_access
deny to_localhost<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"># Example rule
allowing access from your local networks.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"># Adapt
localnet in the ACL section to list your (internal) IP
networks<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"># from where
browsing should be allowed<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#http_access
allow localnet<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">http_access
allow localhost<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"># And finally
deny all other access to this proxy<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">http_access
deny all<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"># Squid
normally listens to port 3128<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">http_port 3128
ssl-bump \<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">key=/etc/squid/pctysquid2sslcerts/pctysquid2prod.pkey
\<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">cert=/etc/squid/pctysquid2sslcerts/pctysquid2prod.crt
\<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">acl step1
at_step SslBump1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">ssl_bump peek
step1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">ssl_bump bump
all<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">sslproxy_cert_error
allow all<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">always_direct
allow all<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">sslproxy_flags
DONT_VERIFY_PEER<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">sslcrtd_program
/usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"># Uncomment and
adjust the following to add a disk cache directory.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#cache_dir ufs
/cache/squid 10000 16 256<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"># Leave
coredumps in the first cache dir<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#rdescoredump_dir
/var/spool/squid<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">coredump_dir
/var/log/squid/squid<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"># Add any of
your own refresh_pattern entries above these.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">refresh_pattern
^ftp: 1440 20% 10080<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">refresh_pattern
^gopher: 1440 0% 1440<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">refresh_pattern
-i (/cgi-bin/|\?) 0 0% 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">refresh_pattern
. 0 20% 4320<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#url_rewrite_access
allow all<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">#url_rewrite_program
/usr/bin/squidGuard -c /etc/squid/squidguard.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Cache.log<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2017/07/18
16:05:34 kid1| Error negotiating SSL connection on FD 689:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert
certificate unknown (1/0)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2017/07/18
16:05:34 kid1| Error negotiating SSL connection on FD 1114:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert
certificate unknown (1/0)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2017/07/18
16:05:37 kid1| Error negotiating SSL connection on FD 146:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert
certificate unknown (1/0)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2017/07/18
16:05:41 kid1| Error negotiating SSL connection on FD 252:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert
certificate unknown (1/0)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2017/07/18
16:05:41 kid1| Error negotiating SSL connection on FD 36:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert
certificate unknown (1/0)<o:p></o:p></span></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
squid-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a>
</pre>
</blockquote>
<br>
</body>
</html>