[squid-users] A bunch of SSL errors I am not sure why

Sameh Onaissi sameh.onaissi at solcv.com
Wed Jan 18 14:50:48 UTC 2017


The server is ubuntu 16.04

Clients are mostly Windows 7 Pro, Windows 8.1 Pro, Windows 10 Pro and a few Mac OS El Capitan 10.11





[cid:2FD1C3AB-E45C-49F0-84AB-0F8AC658BD11 at routerb408e2.com]Piensa en el medio ambiente antes de imprimir este email.

On Jan 18, 2017, at 9:39 AM, Eliezer Croitoru <eliezer at ngtech.co.il<mailto:eliezer at ngtech.co.il>> wrote:

You will need to verify if there is an update to the certificates of the OS.
I know that couple authorities certificates was removed in the last month or two and it might be because of this.
What OS are you using?

----
Eliezer Croitoru<http://ngtech.co.il/lmgtfy/>
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il<mailto:eliezer at ngtech.co.il>
<image004.png>

From: Sameh Onaissi [mailto:sameh.onaissi at solcv.com]
Sent: Wednesday, January 18, 2017 4:32 PM
To: Eliezer Croitoru <eliezer at ngtech.co.il<mailto:eliezer at ngtech.co.il>>
Subject: Fwd: [squid-users] A bunch of SSL errors I am not sure why

Hello Eliezer, all

Sorry for the late reply.

When I configure the browser to access a non intercept port, the errors do not show up and the site is accessed without a problem.

The client machine has the .crt file installed, but still shows the error.

Other pages with errors:
http://pasteboard.co/nA20FD7om.png
http://pasteboard.co/nA2yWRyTE.png

Here is the second page in a browser without an intercepted port:
http://pasteboard.co/nA39CEFGU.png



Thanks in advance.
Some of these sites are used to pay company bills, so it’s important to get this issue resolves ASAP.
Worth mentioning that this was not a problem about 10 days ago.

Thanks again!
<image002.png>

Sameh Onaissi
Ingeniero de Soporte
Sol Cable Visión
Cel: 316-3023424
Email: sameh.onaissi at solcv.com<mailto:sameh.onaissi at solcv.com>



<image003.jpg>Piensa en el medio ambiente antes de imprimir este email.

On Jan 15, 2017, at 3:59 AM, Eliezer Croitoru <eliezer at ngtech.co.il<mailto:eliezer at ngtech.co.il>> wrote:

Non intercepted is not bypassed…
Squid has coupe options for the “http_port” option.
One that you are using is intercept and the other is without intercept.
What happens when you try to connect to this website when you are defining another port without “Intercept”  and define the proxy in the browser settings?
Let me know if something is missing in the picture.

Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il<mailto:eliezer at ngtech.co.il>


From: Sameh Onaissi [mailto:sameh.onaissi at solcv.com]
Sent: Sunday, January 15, 2017 3:25 AM
To: Eliezer Croitoru <eliezer at ngtech.co.il<mailto:eliezer at ngtech.co.il>>
Cc: Amos Jeffries <squid3 at treenet.co.nz<mailto:squid3 at treenet.co.nz>>; squid-users at lists.squid-cache.org<mailto:squid-users at lists.squid-cache.org>
Subject: Re: [squid-users] A bunch of SSL errors I am not sure why

Hello,

I assume bypassed are non intercepted? Once the site IP is on the bypass list, it opened without an issue. There are a few other .http://gov.co<http://gov.co/> sites who have the same problem too.

Attached is a screenshot of the error before I added the site to the bypass list.

squid -v
Squid Cache: Version 3.5.22
Service Name: squid
Ubuntu linux
configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now -Wl,--as-needed' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--with-openssl' '--enable-ssl' '--enable-ssl-crtd' '--enable-build-info=Ubuntu linux' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now -Wl,--as-needed' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security'





@ Amos:

"* Check that the set of "global trusted CA" installed on your Squid machiene is up to date.”
I recreated the set recently.


* Try the latest Squid-4, which can auto-download intermediate certificates.

Is squid-4 stable for production?

Thank you,



Sameh Onaissi
Sol Cable Visión
Cel: 316-3023424
Email: mailto:sameh.onaissi at solcv.com



Piensa en el medio ambiente antes de imprimir este email.

On Jan 14, 2017, at 12:07 PM, Eliezer Croitoru <mailto:eliezer at ngtech.co.il> wrote:

I have not experienced this issue on my testing lab when accessing:
https://web.dlinkla.com/websys

$ squid -v
Squid Cache: Version 3.5.23
Service Name: squid
configure options:  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--verbose' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam,fake' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,LDAP_group,delayer,file_userip,SQL_session,unix_group,session,time_quota' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi' '--enable-ssl-crtd' '--enable-icmp' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' '--with-included-ltdl' '--disable-arch-native' '--enable-ecap' '--without-nettle' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -fPIC' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' --enable-ltdl-convenience

When the proxy is defined in the browser.
Can you verify if it affects only intercepted connections or also non-intercepted ones?

Thanks,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: mailto:eliezer at ngtech.co.il


-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Amos Jeffries
Sent: Saturday, January 14, 2017 6:51 AM
To: mailto:squid-users at lists.squid-cache.org
Subject: Re: [squid-users] A bunch of SSL errors I am not sure why

On 14/01/2017 4:27 a.m., Sameh Onaissi wrote:

Hello Eliezer, all,


I removed the cipher and the problem is still there:


2017/01/13 10:20:50 kid1| Error negotiating SSL connection on FD 138:
error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
(1/0)

The CA used to sign the remote endpoints certificate is not trusted. Or an intermediary certificate is missing.

* Check that the set of "global trusted CA" installed on your Squid machiene is up to date.

* Try the latest Squid-4, which can auto-download intermediate certificates.



2017/01/13 10:21:05 kid1| Error negotiating SSL connection on FD 191:
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
unknown (1/0)
2017/01/13 10:21:17 kid1| Error negotiating SSL connection on FD 194:
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
unknown (1/0)
2017/01/13 10:21:17 kid1| Error negotiating SSL connection on FD 198:
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
unknown (1/0)
2017/01/13 10:21:18 kid1| Error negotiating SSL connection on FD 194:
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
unknown (1/0)
2017/01/13 10:21:18 kid1| Error negotiating SSL connection on FD 194:
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
unknown (1/0)
2017/01/13 10:21:19 kid1| Error negotiating SSL connection on FD 194:
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
unknown (1/0)

The obsolete SSL protocol is being used.



2017/01/13 10:21:24 kid1| Error negotiating SSL connection on FD 163:
Closed by client

The client disconnected. You can do nothing about that.


2017/01/13 10:21:39 kid1| Error negotiating SSL connection on FD 250:
error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
(1/0)
2017/01/13 10:21:42 kid1| Error negotiating SSL on FD 298:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate
verify failed (1/-1/0)

"certificate verify failed" says what it means.


2017-01-13 10:21:53 [29866] Request(everyone/deny/-)
https://accounts.youtube.com/accounts/CheckConnection?pmpo=https://acc
ounts.google.com<http://ounts.google.com/>&v=-1574475776&timestamp=1484320896449
10.0.0.127/10.0.0.127 - GET REDIRECT
2017/01/13 10:21:56 kid1| Error negotiating SSL connection on FD 109:
error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
(1/0)
2017/01/13 10:21:56 kid1| Error negotiating SSL connection on FD 309:
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
unknown (1/0)
2017/01/13 10:22:25 kid1| Error negotiating SSL connection on FD 155:
Closed by client

Amos

_______________________________________________
squid-users mailing list
mailto:squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
mailto:squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170118/624cbab8/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Image 5-5-16 at 11.48 AM.jpg
Type: image/jpeg
Size: 4083 bytes
Desc: Image 5-5-16 at 11.48 AM.jpg
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170118/624cbab8/attachment-0001.jpg>


More information about the squid-users mailing list