<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Aha,</p>
<br>
<div class="moz-cite-prefix">20.07.2017 3:04, Cherukuri, Naresh
пишет:<br>
</div>
<blockquote type="cite"
cite="mid:89638057A560FB458C01C197F81C7F5D13F32CA3@PACERS.amscan.corp">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Yuri,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
am sorry I didn’t get you I already installed certificate on
all clients(trusted root certificate authorities). You want
me install proxy public key also on clients, if so were
should I put the proxy public key. Below is my squid.conf
file.
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Squid.conf
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">key=/etc/squid/pctysquid2sslcerts/pctysquid2prod.pkey
\ proxy ca public key??</span></p>
</div>
</blockquote>
This is proxy private key AFAIK.<br>
<blockquote type="cite"
cite="mid:89638057A560FB458C01C197F81C7F5D13F32CA3@PACERS.amscan.corp">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;background:yellow;mso-highlight:yellow">cert=/etc/squid/pctysquid2sslcerts/pctysquid2prod.crt
\</span><span style="color:#1F497D"> (installed certificate
on IE all clients as a trusted root certificate authorities)</span></p>
</div>
</blockquote>
Yes, if it installed into clients - this is ok.<br>
<br>
So. The only reason I can see - proxy can't see OpenSSL CA's bundle.<br>
<br>
To make it work you should add to your squid's config one of this:<br>
<br>
# TAG: sslproxy_cafile<br>
# file containing CA certificates to use when verifying server<br>
# certificates while proxying <a class="moz-txt-link-freetext" href="https://">https://</a> URLs<br>
#Default:<br>
# none<br>
<br>
# TAG: sslproxy_capath<br>
# directory containing CA certificates to use when verifying<br>
# server certificates while proxying <a class="moz-txt-link-freetext" href="https://">https://</a> URLs<br>
#Default:<br>
# none<br>
<br>
Proxy also should know about CA's uses for connection verification.<br>
<br>
<blockquote type="cite"
cite="mid:89638057A560FB458C01C197F81C7F5D13F32CA3@PACERS.amscan.corp">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Yuri [<a class="moz-txt-link-freetext" href="mailto:yvoinov@gmail.com">mailto:yvoinov@gmail.com</a>]
<br>
<b>Sent:</b> Wednesday, July 19, 2017 4:55 PM<br>
<b>To:</b> Cherukuri, Naresh;
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<b>Subject:</b> Re: [squid-users] Squid Version 3.5.20
Any Ideas<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>No. Only proxy's CA public key. Private should remains on
proxy only.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">20.07.2017 2:49, Cherukuri, Naresh пишет:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks
Yuri for quick turnover!</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">We
inly installed root certificate on all clients. We didn’t
install proxy CA’s public key on clients. So you
suggestion fix that we need to install both certificate
and proxy ca’s public key on clients.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks,</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Naresh</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
squid-users [<a
href="mailto:squid-users-bounces@lists.squid-cache.org"
moz-do-not-send="true">mailto:squid-users-bounces@lists.squid-cache.org</a>]
<b>On Behalf Of </b>Yuri<br>
<b>Sent:</b> Wednesday, July 19, 2017 2:25 PM<br>
<b>To:</b> <a
href="mailto:squid-users@lists.squid-cache.org"
moz-do-not-send="true">squid-users@lists.squid-cache.org</a><br>
<b>Subject:</b> Re: [squid-users] Squid Version 3.5.20
Any Ideas</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p>One out of two. Either the Squid does not see the
OpenSSL/system root CAs bundle, or the proxy CA's public key
is not installed in the clients. It's all.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">19.07.2017 23:30, Walter H. пишет:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hello,<br>
<br>
this seems not to be the problem, as the error messages
are in cache.log, which is not a browser problem ...<br>
<br>
the question: are the SSL bumped sites in intranet, which
use a self signed CA cert itself, which squid doesn't
know?<br>
<br>
On 19.07.2017 17:36, Yuri wrote: <o:p></o:p></p>
<p><a
href="http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit"
moz-do-not-send="true">http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit</a><o:p></o:p></p>
<p><a href="http://i.imgur.com/A153C7A.png"
moz-do-not-send="true">http://i.imgur.com/A153C7A.png</a><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">19.07.2017 21:34, Cherukuri, Naresh
пишет:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p>Hi All, <o:p></o:p></p>
<p> <o:p></o:p></p>
<p>I installed Squid version 3.5.20 on RHEL 7 and
generated self-signed CA certificates, My users are
complaining about certificate errors. When I looked at
cache.log I see so many error messages like below.
Below is my squid.conf file. Any ideas how to address
below errors. <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</blockquote>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p>Cache.log <o:p></o:p></p>
<p> <o:p></o:p></p>
<p>2017/07/18 16:05:34 kid1| Error negotiating SSL
connection on FD 689: error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown (1/0)
<o:p></o:p></p>
<p>2017/07/18 16:05:34 kid1| Error negotiating SSL
connection on FD 1114: error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown (1/0)
<o:p></o:p></p>
<p>2017/07/18 16:05:37 kid1| Error negotiating SSL
connection on FD 146: error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown (1/0)
<o:p></o:p></p>
<p>2017/07/18 16:05:41 kid1| Error negotiating SSL
connection on FD 252: error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown (1/0)
<o:p></o:p></p>
<p>2017/07/18 16:05:41 kid1| Error negotiating SSL
connection on FD 36: error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown (1/0)
<o:p></o:p></p>
</div>
</blockquote>
<p class="MsoNormal"><br>
<br>
<br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>squid-users mailing list<o:p></o:p></pre>
<pre><a href="mailto:squid-users@lists.squid-cache.org" moz-do-not-send="true">squid-users@lists.squid-cache.org</a><o:p></o:p></pre>
<pre><a href="http://lists.squid-cache.org/listinfo/squid-users" moz-do-not-send="true">http://lists.squid-cache.org/listinfo/squid-users</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"> <o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<br>
</body>
</html>