<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">20.07.2017 3:09, Cherukuri, Naresh
пишет:<br>
</div>
<blockquote type="cite"
cite="mid:89638057A560FB458C01C197F81C7F5D13F32CE8@PACERS.amscan.corp">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Yuri,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
am new to squid I learned it through searching google. My
question is I generated self-signed SSL certificates and
install certificates on IE all clients. I didn’t install
proxy public key. Can you tell me where I have to put proxy
public key on clients. Appreciate you help!</span></p>
</div>
</blockquote>
Ah. Based on my experience,<br>
<br>
you require to take *public* proxy key (not private, your use
keypair to setup ssl-bump configuration; do not mistake it) and
install it at least into two places on client's PC: <br>
<br>
1. Into system trusted CA storage (uses by IE/Chrome/some IM etc.)<br>
2. Into Firefox own storage (if applicable).<br>
3. Sometimes it is also required to setup proxy's CA public key into
old JRE existing on clients. But AFAIK modern JRE uses system CA's
storage and no more required this step.<br>
<br>
Actually, this should be enough.<br>
<blockquote type="cite"
cite="mid:89638057A560FB458C01C197F81C7F5D13F32CE8@PACERS.amscan.corp">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Naresh<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Yuri [<a class="moz-txt-link-freetext" href="mailto:yvoinov@gmail.com">mailto:yvoinov@gmail.com</a>]
<br>
<b>Sent:</b> Wednesday, July 19, 2017 5:06 PM<br>
<b>To:</b> Cherukuri, Naresh;
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<b>Subject:</b> Re: [squid-users] Squid Version 3.5.20
Any Ideas<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Related OpenSSL public CA bundle - in theory it should be
installed together with OpenSSL.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">20.07.2017 2:49, Cherukuri, Naresh пишет:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks
Yuri for quick turnover!</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">We
inly installed root certificate on all clients. We didn’t
install proxy CA’s public key on clients. So you
suggestion fix that we need to install both certificate
and proxy ca’s public key on clients.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks,</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Naresh</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
squid-users [<a
href="mailto:squid-users-bounces@lists.squid-cache.org"
moz-do-not-send="true">mailto:squid-users-bounces@lists.squid-cache.org</a>]
<b>On Behalf Of </b>Yuri<br>
<b>Sent:</b> Wednesday, July 19, 2017 2:25 PM<br>
<b>To:</b> <a
href="mailto:squid-users@lists.squid-cache.org"
moz-do-not-send="true">squid-users@lists.squid-cache.org</a><br>
<b>Subject:</b> Re: [squid-users] Squid Version 3.5.20
Any Ideas</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p>One out of two. Either the Squid does not see the
OpenSSL/system root CAs bundle, or the proxy CA's public key
is not installed in the clients. It's all.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">19.07.2017 23:30, Walter H. пишет:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hello,<br>
<br>
this seems not to be the problem, as the error messages
are in cache.log, which is not a browser problem ...<br>
<br>
the question: are the SSL bumped sites in intranet, which
use a self signed CA cert itself, which squid doesn't
know?<br>
<br>
On 19.07.2017 17:36, Yuri wrote: <o:p></o:p></p>
<p><a
href="http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit"
moz-do-not-send="true">http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit</a><o:p></o:p></p>
<p><a href="http://i.imgur.com/A153C7A.png"
moz-do-not-send="true">http://i.imgur.com/A153C7A.png</a><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">19.07.2017 21:34, Cherukuri, Naresh
пишет:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p>Hi All, <o:p></o:p></p>
<p> <o:p></o:p></p>
<p>I installed Squid version 3.5.20 on RHEL 7 and
generated self-signed CA certificates, My users are
complaining about certificate errors. When I looked at
cache.log I see so many error messages like below.
Below is my squid.conf file. Any ideas how to address
below errors. <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</blockquote>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p>Cache.log <o:p></o:p></p>
<p> <o:p></o:p></p>
<p>2017/07/18 16:05:34 kid1| Error negotiating SSL
connection on FD 689: error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown (1/0)
<o:p></o:p></p>
<p>2017/07/18 16:05:34 kid1| Error negotiating SSL
connection on FD 1114: error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown (1/0)
<o:p></o:p></p>
<p>2017/07/18 16:05:37 kid1| Error negotiating SSL
connection on FD 146: error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown (1/0)
<o:p></o:p></p>
<p>2017/07/18 16:05:41 kid1| Error negotiating SSL
connection on FD 252: error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown (1/0)
<o:p></o:p></p>
<p>2017/07/18 16:05:41 kid1| Error negotiating SSL
connection on FD 36: error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown (1/0)
<o:p></o:p></p>
</div>
</blockquote>
<p class="MsoNormal"><br>
<br>
<br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>squid-users mailing list<o:p></o:p></pre>
<pre><a href="mailto:squid-users@lists.squid-cache.org" moz-do-not-send="true">squid-users@lists.squid-cache.org</a><o:p></o:p></pre>
<pre><a href="http://lists.squid-cache.org/listinfo/squid-users" moz-do-not-send="true">http://lists.squid-cache.org/listinfo/squid-users</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"> <o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<br>
</body>
</html>