[squid-users] [3.5.9]: Error negotiating SSL connection on FD 12: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

David Touzeau david at articatech.com
Sat Oct 3 21:01:58 UTC 2015



Le 02/10/2015 04:49, Amos Jeffries a écrit :
> On 2/10/2015 11:18 a.m., David Touzeau wrote:
>> Dear
>>
>> I'm using Squid Cache: Version 3.5.9-20150922-r13918 in transparent mode
>> with SSL hooked
>> In my config, i did not bump any site ( just to pass SSL protocol to
>> squid in transparent mode)
>>
>> I'm trying to connect to https://raj2796.wordpress.com
>>
>> In cache.log
>>
>> 2015/10/02 00:07:05 kid1| Accepting NAT intercepted SSL bumped HTTPS
>> Socket connections at local=0.0.0.0:53695 remote=[::] FD 100 flags=41
>> 2015/10/02 00:07:05 kid1| Accepting ICP messages on [::]:3130
>> 2015/10/02 00:07:05 kid1| Sending ICP messages from [::]:3130
>> 2015/10/02 00:07:05 kid1| Accepting SNMP messages on [::]:3401
>> 2015/10/02 00:07:10 kid1| Error negotiating SSL connection on FD 12:
>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>> unknown (1/0)
>> 2015/10/02 00:07:20 kid1| Error negotiating SSL connection on FD 17:
>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>> unknown (1/0)
>> 2015/10/02 00:07:21 kid1| Error negotiating SSL connection on FD 17:
>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>> unknown (1/0)
>> 2015/10/02 00:07:21 kid1| Error negotiating SSL connection on FD 17:
>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>> unknown (1/0)
>> 2015/10/02 00:09:10 kid1| Error negotiating SSL connection on FD 114:
>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>> unknown (1/0)
>>
>> And i'm unable to display the web site, browser is freeze when trying to
>> open website...
>>
>> How can i bypass this website and force squid to not analyze certificate
>> on *.wordpress.com ?
>>
> Couple of problems...
>
>> My config
>> https_port 0.0.0.0:53695  intercept ssl-bump
>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>> cert=/etc/squid3/ssl/cb623e9bfc65772f68b84393604cd6ea.dyn
>> options=NO_SSLv3 dhparams=/etc/squid3/ssl/dhparam.pem
> No SSLv3, but SSLv2 is allowed. TLS version negotiation relies on a
> range of protocol versions from N to N+x being selectable. If you poke
> holes by denying one version in the middle problems arise.
>
> NP: SSLv2 was only removed in Squid-4.
>
> This alone is probably your problem. But there is more you should fix to
> prevent later troubles.
>
>
>> acl ssl_step1 at_step SslBump1
>> acl ssl_step2 at_step SslBump2
>> acl ssl_step3 at_step SslBump3
>> ssl_bump peek ssl_step1
>> ssl_bump splice all
> With splice none of the ssl_proxy_* options are relevant. Apart from
> initial peeking a few bytes the TLS/SSL should be blindly tunnelled
> between client and server.
>
> We intend the above config to operate as if the client has sent an
> expicit-proxy a CONNECT and Squid without SSL support had received and
> enacted it. Sans bugs we have not found yet, that is how 3.5.8 and later
> operate.
>
>
>> sslproxy_cipher
>> EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>>
> This tells Squid to use EEC* and EC* ciphers. Squid-3.5 and older do not
> support those.
>
>
>> sslproxy_version 0
>> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
>> sslproxy_cert_error allow all
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

Hi, thanks for those points.

Changed the config, remove all unecessaries config and upgrade to Squid 
3.5.10 did not resolve the issue.
Web site still not browseable...

Notice that using a non-transparent port on Squid allow the site to be 
displayed without any issue..


Best regards





More information about the squid-users mailing list