[squid-users] Issues with SSL from specific sites,

Amos Jeffries squid3 at treenet.co.nz
Thu Jan 8 18:58:56 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 9/01/2015 2:19 a.m., Mr J Potter wrote:
> Hi all,
> 
> I have a weird problem connecting to one specific domain:
> 
> https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.0.5/es5-shim.min.js
>
>  this site works fine if I connect directly, but if I go via my
> squid instance, it fails (see below).
> 
> I have squid 3.3.11 with optional SSL-bump set up and working fine
> for the most part, but it will not allow me onto this one domain.
> Its not in any filtered list (I've connected out SSLBump and all
> filtering/redirecting on my test server).
> 
> It says unavailable to establish SSL connection... one point is
> when I connect to this site via chrome it tells me the encryption
> method is outdated - is squid refusing to connect due to this?

More likely Chrome is complaining about Squid bumping in its way. The
bumped certs created by 3.3 use an older easily bumped format.

Our standing recommendation for bumping is to always use the latest
Squid release if you encounter problems. SSL-bump is effectively going
through an arms race with HTTPS - each Squid series has different
capabilities to get around HTTPS protections that "suddenly" become
popular as the previous series SSL-bump feature began to be used.


> 
> thanks in advance for any help.
> 
> root at dirvish:~# wget 
> https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.0.5/es5-shim.min.js
> -dv


Squidclient gives me this:

Resolving cdnjs.cloudflare.com ...
Connecting... cdnjs.cloudflare.com (198.41.215.184:443)
Connected to: cdnjs.cloudflare.com (198.41.215.184:443)
X.509 TLS handshake ...
VERIFY DATUM: The certificate is NOT trusted. The certificate issuer
is unknown.
WARNING: Insecure Connection
TLS Session info:
(TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-GCM)


The certificate issues being unknown is a problem. The modern browsers
all go into a major panic over that kind of thing.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUrtNvAAoJELJo5wb/XPRjUi8H/1qSmezU5kWr0qV4N38I7DMA
aPlZphIi/vwE91b23nqNok+YC3e31owrNh/C/L8q7OkIynhQ0UtVuJOMrXl8wVSF
tfMtbIXDBPOmoLDlYrZwXDRgtooENawHce70hnD0MjvsWUtfpudBhaXx8zumbf1w
EYxUc80pTiqc2qO1DShiaQmRFrW/7SEwxNixaCY1hUHyMFFeK4KUd4bbBNC8f0Wu
djmeEqcd3HbMJyIlgm6EA0o1LGlMqPytcxI4ZN2aiiXYlEslew2kAW4euVhG4zAK
CZGzhkA4kBtsqvgE2Tx5vJPLXrk+peALJa479Coq6fSUuxsZPjtzdkygazLSXQU=
=jiwY
-----END PGP SIGNATURE-----


More information about the squid-users mailing list