<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">I answer interline.<div class=""><br class=""></div><div class=""><div><blockquote type="cite" class=""><div class="">El 9/01/2018, a las 4:27 p.m., Antony Stone <<a href="mailto:Antony.Stone@squid.open.source.it" class="">Antony.Stone@squid.open.source.it</a>> escribió:</div><br class="Apple-interchange-newline"><div class=""><div class="">On Tuesday 09 January 2018 at 21:28:37, Yoinier Hernandez Nieves wrote:<br class=""><br class=""><blockquote type="cite" class="">I try configure squid 3.5 on CentOS 7 with sslBump.<br class=""><br class="">But I have some problems, the first:<br class=""><br class="">Some HTTPs sites can access, because squid say what I am are not<br class="">authenticated. And other sites, yes I can access.<br class=""></blockquote><br class="">Please give us information:<br class=""><br class="">1. An example of sites can you access.</div></div></blockquote>not https<br class=""><br class=""><blockquote type="cite" class=""><div class=""><div class="">2. An example of sites can you not access.<br class=""></div></div></blockquote><div><a href="https://www.ssllabs.com/ssltest/viewMyClient.html" class="">https://www.ssllabs.com/ssltest/viewMyClient.html</a></div><div><a href="https://outlook.co.il/" class="">https://outlook.co.il/</a></div><div><a href="https://www.facebook.com" class="">https://www.facebook.com</a></div><div><br class=""></div><blockquote type="cite" class=""><div class=""><div class="">3. For problems, show us error messages - quote us what the remote sites tell <br class="">you.<br class=""></div></div></blockquote><div><p class="">Se encontró el siguiente error al intentar recuperar la dirección URL: <a href="https://outlook.co.il/" class="">https://outlook.co.il/</a></p>
<blockquote id="error" class=""><p class=""><b class="">Acceso Denegado a la Caché</b></p>
</blockquote><p class="">Lo lamento, tu no estás autorizado a solicitar <a href="https://outlook.co.il/" class="">https://outlook.co.il/</a> de este caché hasta que te hayas autenticado.</p><p class="">Please contact the <a href="mailto:root?subject=CacheErrorInfo%20-%20ERR_CACHE_ACCESS_DENIED&body=CacheHost%3A%20artemisa.conalza.co.cu%0D%0AErrPage%3A%20ERR_CACHE_ACCESS_DENIED%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Tue,%2009%20Jan%202018%2019%3A12%3A22%20GMT%0D%0A%0D%0AClientIP%3A%20172.25.100.4%0D%0A%0D%0AHTTP%20Request%3A%0D%0AGET%20%2F%20HTTP%2F1.1%0AUser-Agent%3A%20Mozilla%2F5.0%20(Macintosh%3B%20Intel%20Mac%20OS%20X%2010.12%3B%20rv%3A57.0)%20Gecko%2F20100101%20Firefox%2F57.0%0D%0AAccept%3A%20text%2Fhtml,application%2Fxhtml+xml,application%2Fxml%3Bq%3D0.9,*%2F*%3Bq%3D0.8%0D%0AAccept-Language%3A%20es-ES,es%3Bq%3D0.8,en-US%3Bq%3D0.5,en%3Bq%3D0.3%0D%0AAccept-Encoding%3A%20gzip,%20deflate,%20br%0D%0AConnection%3A%20keep-alive%0D%0AUpgrade-Insecure-Requests%3A%201%0D%0AHost%3A%20outlook.co.il%0D%0A%0D%0A%0D%0A" class="">cache administrator</a> if you have difficulties authenticating yourself.</p></div><blockquote type="cite" class=""><div class=""><div class=""><br class="">4. Please rephrase "squid say what I am are not authenticated" - this is not <br class="">clear - what do you mean?<br class=""><br class=""><blockquote type="cite" class="">I am authenticated.<br class=""></blockquote><br class="">To what? Squid, or the remote site?<br class=""></div></div></blockquote><div>Squid, see message in Spanish for point 3.</div><div><br class=""></div><div>Other error is that</div><div><a href="https://www.kiosco.bandec.cu/kiosco" class="">https://www.kiosco.bandec.cu/kiosco</a></div><div><div style="margin: 0px; font-size: 10px; line-height: normal; font-family: Monaco; color: rgb(244, 244, 244); background-color: rgba(0, 0, 0, 0.85098);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Error negotiating SSL on FD 16: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)</span></div></div><div><p class="">The following error was encountered while trying to retrieve the URL: <a href="https://www.kiosco.bandec.cu/*" class="">https://www.kiosco.bandec.cu/*</a></p>
<blockquote id="error" class=""><p class=""><b class="">Failed to establish a secure connection to 190.6.64.132</b></p>
</blockquote>
<div id="sysmsg" class=""><p class="">The system returned:</p>
<blockquote id="data" class="">
<pre class="">(71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)</pre><p class="">SSL Certficate error: certificate issuer (CA) not known: /CN=CX6.bandec.cu</p>
</blockquote>
</div><p class="">This proxy and the remote host failed to negotiate a mutually
acceptable security settings for handling your request. It is possible
that the remote host does not support secure connections, or the proxy
is not satisfied with the host security credentials.</p></div><blockquote type="cite" class=""><div class=""><div class=""><br class="">How do you know you are authenticated - what confirmation do you have?<br class=""><br class=""><blockquote type="cite" class="">Fragment of my squid.conf.<br class=""><br class="">http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/ConAlza.pem<br class="">generate-host-certificates=on dynamic_cert_mem_cache_size=4MB#<br class="">options=NO_SSLv3 dhparams=/etc/squid/ssl_cert/dhparam.pem sslcrtd_program<br class="">/usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslproxy_options<br class="">NO_SSLv2,NO_SSLv3,SINGLE_DH_USE<br class="">acl step1 at_step SslBump1<br class="">acl step2 at_step SslBump2<br class="">acl step3 at_step SslBump3<br class="">ssl_bump peek step1<br class="">ssl_bump bump all<br class="">authenticate_ip_ttl 60 seconds<br class=""></blockquote><br class="">That looks a bit strange (and a bit incomplete) to me, but since I'm no expert <br class="">on SSL interception, I'll let someone else step in here.<br class=""><br class="">If you can provide more information in the meantime (eg: enough to help <br class="">someone else replicate your problem) that would be good.<br class=""><br class=""></div></div></blockquote><div>I use too dansguardians before the squid proxy.</div><div><br class=""></div><div>See the logs for one petition</div><div><br class=""></div><div><div style="margin: 0px; font-size: 10px; line-height: normal; font-family: Monaco; color: rgb(244, 244, 244); background-color: rgba(0, 0, 0, 0.85098);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">1515534858.355 3720 aaa.aaa.aaa.aaa TAG_NONE/200 0 CONNECT <a href="http://www.ssllabs.com:443" class="">www.ssllabs.com:443</a> ynieves HIER_DIRECT/64.41.200.100 -</span></div><div style="margin: 0px; font-size: 10px; line-height: normal; font-family: Monaco; color: rgb(244, 244, 244); background-color: rgba(0, 0, 0, 0.85098);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">1515534858.375 0 bbb.bbb.bbb.bbb TCP_DENIED/403 4457 GET <a href="https://www.ssllabs.com/ssltest/viewMyClient.html" class="">https://www.ssllabs.com/ssltest/viewMyClient.html</a> ynieves HIER_NONE/- text/html</span></div><div style="margin: 0px; font-size: 10px; line-height: normal; font-family: Monaco; color: rgb(244, 244, 244); background-color: rgba(0, 0, 0, 0.85098);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">1515534858.407 0 bbb.bbb.bbb.bbb TAG_NONE/503 4952 GET <a href="http://artemisa.conalza.co.cu:3128/squid-internal-static/icons/SN.png" class="">http://artemisa.conalza.co.cu:3128/squid-internal-static/icons/SN.png</a> ynieves HIER_DIRECT/64.41.200.100 text/html</span></div><div class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class=""></span></div><div class="">aaa.aaa.aaa.aaa is my pc.</div><div class="">bbb.bbb.bbb.bbb is the dansguardians</div><div class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class=""></span></div></div><blockquote type="cite" class=""><div class=""><div class=""><br class="">Antony.<br class=""><br class="">-- <br class="">Wanted: telepath. You know where to apply.<br class=""><br class=""> Please reply to the list;<br class=""> please *don't* CC me.<br class="">_______________________________________________<br class="">squid-users mailing list<br class=""><a href="mailto:squid-users@lists.squid-cache.org" class="">squid-users@lists.squid-cache.org</a><br class="">http://lists.squid-cache.org/listinfo/squid-users<br class=""></div></div></blockquote></div><br class=""></div></body></html>