[squid-users] [3.5.9]: Error negotiating SSL connection on FD 12: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

David Touzeau david at articatech.com
Thu Oct 1 22:18:50 UTC 2015


Dear

I'm using Squid Cache: Version 3.5.9-20150922-r13918 in transparent mode 
with SSL hooked
In my config, i did not bump any site ( just to pass SSL protocol to 
squid in transparent mode)

I'm trying to connect to https://raj2796.wordpress.com

In cache.log

2015/10/02 00:07:05 kid1| Accepting NAT intercepted SSL bumped HTTPS 
Socket connections at local=0.0.0.0:53695 remote=[::] FD 100 flags=41
2015/10/02 00:07:05 kid1| Accepting ICP messages on [::]:3130
2015/10/02 00:07:05 kid1| Sending ICP messages from [::]:3130
2015/10/02 00:07:05 kid1| Accepting SNMP messages on [::]:3401
2015/10/02 00:07:10 kid1| Error negotiating SSL connection on FD 12: 
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate 
unknown (1/0)
2015/10/02 00:07:20 kid1| Error negotiating SSL connection on FD 17: 
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate 
unknown (1/0)
2015/10/02 00:07:21 kid1| Error negotiating SSL connection on FD 17: 
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate 
unknown (1/0)
2015/10/02 00:07:21 kid1| Error negotiating SSL connection on FD 17: 
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate 
unknown (1/0)
2015/10/02 00:09:10 kid1| Error negotiating SSL connection on FD 114: 
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate 
unknown (1/0)

And i'm unable to display the web site, browser is freeze when trying to 
open website...

How can i bypass this website and force squid to not analyze certificate 
on *.wordpress.com ?



My config
https_port 0.0.0.0:53695  intercept ssl-bump 
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB 
cert=/etc/squid3/ssl/cb623e9bfc65772f68b84393604cd6ea.dyn 
options=NO_SSLv3 dhparams=/etc/squid3/ssl/dhparam.pem
acl ssl_step1 at_step SslBump1
acl ssl_step2 at_step SslBump2
acl ssl_step3 at_step SslBump3
ssl_bump peek ssl_step1
ssl_bump splice all
sslproxy_cipher 
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslproxy_version 0
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
sslproxy_cert_error allow all

Best regards



More information about the squid-users mailing list