[squid-users] 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
David Touzeau
david at articatech.com
Thu Apr 27 20:27:47 UTC 2017
Hi yuri
I did not know if squid have Symantec intermediate certificate
Squid is installed as default...
Any howto ?
-----Message d'origine-----
De : squid-users [mailto:squid-users-bounces at lists.squid-cache.org] De la part de Yuri Voinov
Envoyé : jeudi 27 avril 2017 22:09
À : squid-users at lists.squid-cache.org
Objet : Re: [squid-users] 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Look. It can be intermediate certificates issue.
Does Squid have Symantec intermediate certificates?
27.04.2017 22:47, David Touzeau пишет:
> Hi,
> I'm unable to access to https://www.boutique.afnor.org website.
> I would like to know if this issue cannot be fixed and must deny bump
> website to fix it.
> Without Squid the website is correctly displayed
>
> Squid claim an error page with "(71) Protocol error (TLS code:
> SQUID_ERR_SSL_HANDSHAKE)"
>
> In cache.log: "Error negotiating SSL on FD 17:
> error:00000000:lib(0):func(0):reason(0) (5/0/0)"
>
> Using the following configuration:
>
> http_port 0.0.0.0:3128 name=MyPortNameID20 ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/etc/squid3/ssl/0c451f46b4d05031560d8195f30165cb.dyn
> sslproxy_foreign_intermediate_certs /etc/squid3/intermediate_ca.pem
> sslcrtd_program /lib/squid3/ssl_crtd -s
> /var/lib/squid/session/ssl/ssl_db -M 8MB sslcrtd_children 16 startup=5
> idle=1 acl FakeCert ssl::server_name .apple.com acl FakeCert
> ssl::server_name .icloud.com acl FakeCert ssl::server_name
> .mzstatic.com acl FakeCert ssl::server_name .dropbox.com acl ssl_step1
> at_step SslBump1 acl ssl_step2 at_step SslBump2 acl ssl_step3 at_step
> SslBump3 ssl_bump peek ssl_step1 ssl_bump splice FakeCert ssl_bump
> bump ssl_step2 all ssl_bump splice all
>
> sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression sslproxy_cipher
> ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:
> !aNULL
> :!eNULL
> sslproxy_flags DONT_VERIFY_PEER
> sslproxy_cert_error allow all
>
>
>
> Openssl info
> ----------------------------------------------------------------------
> ------
> ----------------------------------------------------------------------
> ------
> ---
>
> openssl s_client -connect 195.115.26.58:443 -showcerts
>
> CONNECTED(00000003)
> depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU
> = "(c)
> 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3
> Public Primary Certification Authority - G5 verify return:1
> depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network,
> CN = Symantec Class 3 Secure Server CA - G4 verify return:1
> depth=0 C = FR, ST = Seine Saint Denis, L = ST DENIS, O = ASSOCIATION
> FRANCAISE DE NORMALISATION, OU = ASSOCIATION FRANCAISE DE
> NORMALISATION, CN = www.boutique.afnor.org verify return:1
> ---
> Certificate chain
> 0 s:/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE DE
> NORMALISATION/OU=ASSOCIATION FRANCAISE DE
> NORMALISATION/CN=www.boutique.afnor.org
> i:/C=US/O=Symantec Corporation/OU=Symantec Trust
> Network/CN=Symantec Class 3 Secure Server CA - G4 -----BEGIN
> CERTIFICATE----- ../..
> -----END CERTIFICATE-----
> 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust
> Network/CN=Symantec Class 3 Secure Server CA - G4
> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
> Primary Certification Authority - G5 -----BEGIN CERTIFICATE----- ../..
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE
> DE NORMALISATION/OU=ASSOCIATION FRANCAISE DE
> NORMALISATION/CN=www.boutique.afnor.org
> issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust
> Network/CN=Symantec Class 3 Secure Server CA - G4
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 3105 bytes and written 616 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES128-SHA
> Session-ID:
> 833B0000A2346F50C5AAFC6B5188B4EBD9304CD25411BECFF0713F8D76C65D9D
> Session-ID-ctx:
> Master-Key:
> D2DF6C62264D03D7D44AF44EB8C0B1B7AD0E650D34DF6EBEB1CBEBFE4F30CB9C6F5080
> AA94F5
> D6B5955DD8DF06608416
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1493311275
> Timeout : 300 (sec)
> Verify return code: 0 (ok)
> ---
> read:errno=0
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
--
Bugs to the Future
More information about the squid-users
mailing list