[squid-users] Redirecting to DIRECT_CONNECT failed ssl-bump connections

Yuri Voinov yvoinov at gmail.com
Wed Feb 11 08:49:13 UTC 2015


First of all,

read this:

http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

Second - no way to find what site generates this error excluding user 
complains.

WBR, Yuri.

11.02.15 11:25, Luis Miguel Silva пишет:
> Dear all,
>
> I'm seeing several error messages in my cache.log, complaining that 
> the destination certificate is invalid:
> 2015/02/08 19:27:28 kid1| fwdNegotiateSSL: Error negotiating SSL 
> connection on FD 22: error:14090086:SSL 
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
> 2015/02/08 19:27:28 kid1| clientNegotiateSSL: Error negotiating SSL 
> connection on FD 20: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 
> alert unknown ca (1/0)
> 2015/02/08 19:27:32 kid1| fwdNegotiateSSL: Error negotiating SSL 
> connection on FD 50: error:14090086:SSL 
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
> 2015/02/08 19:27:33 kid1| clientNegotiateSSL: Error negotiating SSL 
> connection on FD 49: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 
> alert certificate unknown (1/0)
> 2015/02/08 19:27:33 kid1| fwdNegotiateSSL: Error negotiating SSL 
> connection on FD 50: error:14090086:SSL 
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
> 2015/02/08 19:27:33 kid1| clientNegotiateSSL: Error negotiating SSL 
> connection on FD 49: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 
> alert unknown ca (1/0)
> 2015/02/08 19:27:34 kid1| clientNegotiateSSL: Error negotiating SSL 
> connection on FD 49: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 
> alert unknown ca (1/0)
> 2015/02/08 19:27:37 kid1| clientNegotiateSSL: Error negotiating SSL 
> connection on FD 50: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 
> alert unknown ca (1/0)
> 2015/02/08 19:27:37 kid1| fwdNegotiateSSL: Error negotiating SSL 
> connection on FD 51: error:14090086:SSL 
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
> 2015/02/08 19:27:37 kid1| clientNegotiateSSL: Error negotiating SSL 
> connection on FD 50: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 
> alert certificate unknown (1/0)
> 2015/02/08 19:27:39 kid1| fwdNegotiateSSL: Error negotiating SSL 
> connection on FD 51: error:14090086:SSL 
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
> 2015/02/08 19:27:39 kid1| clientNegotiateSSL: Error negotiating SSL 
> connection on FD 50: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 
> alert certificate unknown (1/0)
> 2015/02/08 19:27:40 kid1| clientNegotiateSSL: Error negotiating SSL 
> connection on FD 50: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 
> alert certificate unknown (1/0)
> 2015/02/08 19:27:40 kid1| clientNegotiateSSL: Error negotiating SSL 
> connection on FD 50: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 
> alert certificate unknown (1/0)
> 2015/02/08 19:27:41 kid1| clientNegotiateSSL: Error negotiating SSL 
> connection on FD 50: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 
> alert certificate unknown (1/0)
> 2015/02/08 19:27:42 kid1| fwdNegotiateSSL: Error negotiating SSL 
> connection on FD 51: error:14090086:SSL 
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
> 2015/02/08 19:27:42 kid1| clientNegotiateSSL: Error negotiating SSL 
> connection on FD 50: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 
> alert certificate unknown (1/0)
> 2015/02/08 19:27:42 kid1| clientNegotiateSSL: Error negotiating SSL 
> connection on FD 52: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 
> alert certificate unknown (1/0)
>
> Is there a way for me to intercept these and, when they happen, allow 
> a direct connection between the client and the destination?
>
> In other words, I want to ssl-bump ALL connections *but*, if we 
> encounter certificate errors, I would like to make a direct connection 
> instead. Is this possible?
>
> Thank you,
> Luis
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150211/b75553e4/attachment-0001.html>


More information about the squid-users mailing list