[squid-users] SSL TAG_NONE/503 errors

Hugo Saavedra hugo.saavedra.oteiza at gmail.com
Wed Dec 6 23:40:55 UTC 2017


ooops!, we have another problem here, anyone knows what is this?

2017/12/06 19:30:23 kid1| SECURITY ALERT: on URL: login.live.com:443
2017/12/06 19:30:23 kid1| SECURITY ALERT: Host header forgery detected
on local=131.253.61.100:443 remote=192.168.10.2:59041 FD 126 flags=33
(local IP does not match any domain IP)
2017/12/06 19:30:23 kid1| SECURITY ALERT: on URL: login.live.com:443
2017/12/06 19:30:37 kid1| SECURITY ALERT: Host header forgery detected
on local=131.253.61.100:443 remote=192.168.10.2:59042 FD 106 flags=33
(local IP does not match any domain IP)
2017/12/06 19:30:37 kid1| SECURITY ALERT: on URL: login.live.com:443
2017/12/06 19:30:37 kid1| SECURITY ALERT: Host header forgery detected
on local=131.253.61.100:443 remote=192.168.10.2:59043 FD 107 flags=33
(local IP does not match any domain IP)
2017/12/06 19:30:37 kid1| SECURITY ALERT: on URL: login.live.com:443

Thanks

2017-12-06 16:56 GMT-03:00 Hugo Saavedra <hugo.saavedra.oteiza at gmail.com>:
> solution finded: we commented the sslproxy_cipher line and it works!
> is there any security issues if we left the default options for this variable?
>
> thanks
> Hugo
>
> 2017-12-06 16:21 GMT-03:00 Alex Rousskov <rousskov at measurement-factory.com>:
>> On 12/06/2017 12:06 PM, Hugo Saavedra wrote:
>>> 2017/12/06 16:02:37 kid1| Error negotiating SSL connection on FD 61:
>>> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
>>> (1/0)
>>
>> You may be able to fix this problem by updating your collection of
>> public CA certificates. Squid uses CA certificates to validate
>> certificates presented by origin servers. You may be able to confirm
>> that your collection is stale and know more (e.g., which CA certificate
>> is unknown) if you can map the above error to an access.log entry that
>> would give you the origin server name to interrogate.
>>
>> Similar reasoning applies to other SSL-related cache.log errors as well,
>> but troubleshooting them may require more efforts (e.g., starting with a
>> higher debugging levels and/or packet captures).
>>
>> Alex.
>
>
>
> --
> Saludos,
> Hugo Saavedra



-- 
Saludos,
Hugo Saavedra


More information about the squid-users mailing list