[squid-users] squid-users Digest, Vol 31, Issue 3
Adrian Miller
adrian.m.miller at gmail.com
Thu Mar 2 03:14:53 UTC 2017
Disregard last message, it seemed to work...once - quite possible i had the
proxy toggled off at the time...sheesh
Reverted my cipher chain back to the original and leaving the hell alone,
will send the site admin an email instead of fiddling further
On 2 March 2017 at 14:04, <squid-users-request at lists.squid-cache.org> wrote:
> Send squid-users mailing list submissions to
> squid-users at lists.squid-cache.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.squid-cache.org/listinfo/squid-users
> or, via email, send a message with subject or body 'help' to
> squid-users-request at lists.squid-cache.org
>
> You can reach the person managing the list at
> squid-users-owner at lists.squid-cache.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of squid-users digest..."
>
>
> Today's Topics:
>
> 1. Re: SSL Bump and Certificate issue - RapidSSL Intermediate
> Cert (stylemessiah)
> 2. Re: Failed to shm_open (Amos Jeffries)
> 3. Re: Failed to shm_open (Amos Jeffries)
> 4. Re: SSL Bump and Certificate issue - RapidSSL Intermediate
> Cert (stylemessiah)
> 5. Re: SSL Bump and Certificate issue - RapidSSL Intermediate
> Cert (stylemessiah)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 1 Mar 2017 09:03:47 -0800 (PST)
> From: stylemessiah <adrian.m.miller at gmail.com>
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] SSL Bump and Certificate issue - RapidSSL
> Intermediate Cert
> Message-ID:
> <CAOLOQx36wSy24sDDS-Qm=BSAeGsS5oiT5kGK5kP7s=sMQEffpQ@
> mail.gmail.com>
> Content-Type: text/plain; charset=us-ascii
>
> Thanks Amos for the info, appreciate your tireless assistance for us
> numpties :)
>
> On 2 Mar. 2017 4:06 am, "Amos Jeffries [via Squid Web Proxy Cache]" <
> ml-node+s1019090n4681642h47 at n4.nabble.com> wrote:
>
> > On 1/03/2017 4:58 a.m., stylemessiah wrote:
> >
> > > This is driving me nuts, its the only issue ive found running ssl bump
> > on my
> > > home network for eons
> > >
> > > I cant see image thumbnails on xda-developers...
> > >
> > > When i access a thread with them, i get text links, not thumbnails, and
> > if i
> > > click on the links i get the following:
> > >
> > >
> > > (71) Protocol error (TLS code:
> > > X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
> > >
> > > SSL Certficate error: certificate issuer (CA) not known:
> > > /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
> > >
> > > I figured out by googling how to (i hope) trace the problem certificate
> > via
> > > s_client:
> > >
> > >
> > > OpenSSL> s_client -showcerts -verify 32 -connect
> > dl.xda-developers.com:443
> > > verify depth is 32
> > > CONNECTED(0000012C)
> > > depth=0 CN = *.xda-developers.com
> > > verify error:num=20:unable to get local issuer certificate
> > > verify return:1
> > > depth=0 CN = *.xda-developers.com
> > > verify error:num=21:unable to verify the first certificate
> > > verify return:1
> >
> > That command you used does not send data through the proxy. So that
> > confirms that the servers TLS is broken in a way unrelated to Squid.
> >
> >
> >
> > > ---
> > > Certificate chain
> > > 0 s:/CN=*.xda-developers.com
> > > i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
> > ...
> >
> > > ---
> > > Server certificate
> > > subject=/CN=*.xda-developers.com
> > > issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
> > > ---
> > > No client certificate CA names sent
> > > Peer signing digest: SHA512
> > > Server Temp Key: ECDH, P-256, 256 bits
> > > ---
> > > SSL handshake has read 2067 bytes and written 302 bytes
> > > Verification error: unable to verify the first certificate
> >
> > >
> > > Ive found the intermediate bundle from RapidSS, and added it to my
> > existing
> > > pem bundle...no change
> >
> > You need to locate the root CA and/or intermediate CA certificates used
> > to sign the domain servers certificate.
> >
> > You then need to identify *why* they are not being trusted by your OS
> > library.
> >
> > Be sure to determine whether the CA which is missing is actually
> > trustworthy before adding it to your trusted set. More than a few of the
> > CA which are around are not trusted because they have been hacked or
> > caught signing forged certificates they should not have.
> >
> >
> > > Added as a separate pem i.e. sslproxy_foreign_intermediate_certs
> > > /cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem...no change
> > >
> > > My sslbump related config lines are:
> > >
> > > http_port 127.0.0.1:3128 ssl-bump generate-host-certificates=on
> > > dynamic_cert_mem_cache_size=10MB cert=/cygdrive/e/Squid/etc/
> ssl/myCA.pem
> >
> > > capath=/cygdrive/e/Squid/etc/ssl
> > > cafile=/cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem
> > > tls-dh=/cygdrive/e/Squid/etc/ssl/dhparam.pem
> > > options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE
> >
> > PS. EECDH will not work unless you configure a curve name in the
> > tls-dh= option. Just having dhparam.pem alone will only enable the less
> > secure DH ciphers.
> >
> > Amos
> >
> > _______________________________________________
> > squid-users mailing list
> > [hidden email] <http:///user/SendEmail.jtp?type=node&node=4681642&i=0>
> > http://lists.squid-cache.org/listinfo/squid-users
> >
> >
> > ------------------------------
> > If you reply to this email, your message will be added to the discussion
> > below:
> > http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-
> > Bump-and-Certificate-issue-RapidSSL-Intermediate-Cert-
> > tp4681635p4681642.html
> > To unsubscribe from SSL Bump and Certificate issue - RapidSSL
> Intermediate
> > Cert, click here
> > <http://squid-web-proxy-cache.1019090.n4.nabble.com/
> template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4681635&code=
> YWRyaWFuLm0ubWlsbGVyQGdtYWlsLmNvbXw0NjgxNjM1fDE5ODY3MjIyMDI=>
> > .
> > NAML
> > <http://squid-web-proxy-cache.1019090.n4.nabble.com/
> template/NamlServlet.jtp?macro=macro_viewer&id=instant_
> html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.
> BasicNamespace-nabble.view.web.template.NabbleNamespace-
> nabble.view.web.template.NodeNamespace&breadcrumbs=
> notify_subscribers%21nabble%3Aemail.naml-instant_emails%
> 21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
> >
>
>
>
>
> --
> View this message in context: http://squid-web-proxy-cache.
> 1019090.n4.nabble.com/SSL-Bump-and-Certificate-issue-
> RapidSSL-Intermediate-Cert-tp4681635p4681643.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 2 Mar 2017 06:19:27 +1300
> From: Amos Jeffries <squid3 at treenet.co.nz>
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Failed to shm_open
> Message-ID: <97f1176a-f88d-9fbf-28dc-a8c2341dc612 at treenet.co.nz>
> Content-Type: text/plain; charset=utf-8
>
> On 2/03/2017 4:06 a.m., erdosain9 wrote:
> > Hi.
> > Now squid stop... abnormaly.
> >
> > 2017/03/01 12:04:31 kid1| helperOpenServers: Starting 5/32 'ssl_crtd'
> > processes
> > FATAL: Ipc::Mem::Segment::open failed to
> > shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory
> >
> > Squid Cache (Version 3.5.20): Terminated abnormally.
> > CPU Usage: 0.095 seconds = 0.074 user + 0.021 sys
> > Maximum Resident Size: 134144 KB
> > Page faults with physical i/o: 0
> > 2017/03/01 12:04:31| Set Current Directory to /var/spool/squid
> >
> > What is happend??
> >
>
> One of three things, in order of likelihood:
>
> a) your OS does not have /dev/shm running.
>
> b) your Squid was not started with appropriate privileges to access
> /dev/shm and create the shared-memory area. ie root.
>
> c) a previous Squid process that was supposed to create that
> shared-memory area is not running.
>
>
> Amos
>
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 2 Mar 2017 06:24:35 +1300
> From: Amos Jeffries <squid3 at treenet.co.nz>
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Failed to shm_open
> Message-ID: <3245dc48-4a84-ffe4-5952-ee09921efd8f at treenet.co.nz>
> Content-Type: text/plain; charset=utf-8
>
> On 2/03/2017 4:21 a.m., erdosain9 wrote:
> > no shared cipher
>
> Exactly what it says. There are no ciphers which both the client and
> the server are allowing to be used.
>
> One example of this is a client that only speaks SSLv2 and a server that
> speaks only TLS/1.3.
>
> You will have to dig a bit deeper to figure out what ciphers are needed.
> Unfortunately Squid does not have much useful debug information in this
> area yet.
>
> Amos
>
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 1 Mar 2017 17:57:30 -0800 (PST)
> From: stylemessiah <adrian.m.miller at gmail.com>
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] SSL Bump and Certificate issue - RapidSSL
> Intermediate Cert
> Message-ID:
> <CAOLOQx3n5MSOZHTiKSZJ8BfA=Q=LNd7KCVsncgLz2QZt0XaEOQ at mail.
> gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> >That command you used does not send data through the proxy. So that
> >confirms that the servers TLS is broken in a way unrelated to Squid.
>
> As that may be, when i go direct (sans proxy) i get thumbnails...no issues
> Toggle the proxy back on and no thumbnails, and opening an image link gives
> the
> error initially reported.
>
> (71) Protocol error (TLS code:
> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>
> SSL Certficate error: certificate issuer (CA) not known:
> /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
>
> So both Ie and FF will just load anything from dl.xda-developers.com and
> not
> register an issue, but squid will refuse to load the content and generate
> the error
>
> >You need to locate the root CA and/or intermediate CA certificates used
> >to sign the domain servers certificate.
>
> >You then need to identify *why* they are not being trusted by your OS
> >library.
>
> >Be sure to determine whether the CA which is missing is actually
> >trustworthy before adding it to your trusted set. More than a few of the
> >CA which are around are not trusted because they have been hacked or
> >caught signing forged certificates they should not have.
>
> I aalways learn something when youre silly enough to reply :)
>
> When i ran dl.xda-developers.com through ssllabs (thanks google), it gave
> me a less than glowing report, including
> an incomplete cert chain (i say that like i understand it :) ) or as it put
> it:
>
> This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224)
> <https://community.qualys.com/blogs/securitylabs/2014/06/13/
> ssl-pulse-49-vulnerable-to-cve-2014-0224-14-exploitable>
> and exploitable. Grade set to F.
> This server is vulnerable to the OpenSSL Padding Oracle vulnerability
> (CVE-2016-2107)
> <https://blog.cloudflare.com/yet-another-padding-oracle-in-
> openssl-cbc-ciphersuites/>
> and insecure. Grade set to F.
> This server accepts RC4 cipher, but only with older browsers. Grade capped
> to B. MORE INFO »
> <https://community.qualys.com/blogs/securitylabs/2013/03/19/
> rc4-in-tls-is-broken-now-what>
> This server's certificate chain is incomplete. Grade capped to B.
>
> Full report here for the curious:
> https://globalsign.ssllabs.com/analyze.html?d=dl.xda-
> developers.com&hideResults=on
>
> For a few thumbnails im not going to torture myself, maybe ill send the
> forum admin a note instead :)
>
> >PS. EECDH will not work unless you configure a curve name in the
> >tls-dh= option. Just having dhparam.pem alone will only enable the less
> >secure DH ciphers.
>
> I did add a curve to the tls-dh param, im guessing tis correct, little info
> on which one to use (grabbing the list from my local openssl had me going
> what the hell)
>
> tls-dh=prime256v1:/cygdrive/e/Squid/etc/ssl/dhparam.pem
>
> Note: this made no difference whatsoever with my issue
>
> Cheers,
>
> Adrian Miller
>
>
>
> On 2 March 2017 at 04:08, Adrian Miller <adrian.m.miller at gmail.com> wrote:
>
> > Thanks Amos for the info, appreciate your tireless assistance for us
> > numpties :)
> >
> > On 2 Mar. 2017 4:06 am, "Amos Jeffries [via Squid Web Proxy Cache]" <
> > ml-node+s1019090n4681642h47 at n4.nabble.com> wrote:
> >
> >> On 1/03/2017 4:58 a.m., stylemessiah wrote:
> >>
> >> > This is driving me nuts, its the only issue ive found running ssl bump
> >> on my
> >> > home network for eons
> >> >
> >> > I cant see image thumbnails on xda-developers...
> >> >
> >> > When i access a thread with them, i get text links, not thumbnails,
> and
> >> if i
> >> > click on the links i get the following:
> >> >
> >> >
> >> > (71) Protocol error (TLS code:
> >> > X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
> >> >
> >> > SSL Certficate error: certificate issuer (CA) not known:
> >> > /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
> >> >
> >> > I figured out by googling how to (i hope) trace the problem
> certificate
> >> via
> >> > s_client:
> >> >
> >> >
> >> > OpenSSL> s_client -showcerts -verify 32 -connect
> >> dl.xda-developers.com:443
> >> > verify depth is 32
> >> > CONNECTED(0000012C)
> >> > depth=0 CN = *.xda-developers.com
> >> > verify error:num=20:unable to get local issuer certificate
> >> > verify return:1
> >> > depth=0 CN = *.xda-developers.com
> >> > verify error:num=21:unable to verify the first certificate
> >> > verify return:1
> >>
> >> That command you used does not send data through the proxy. So that
> >> confirms that the servers TLS is broken in a way unrelated to Squid.
> >>
> >>
> >>
> >> > ---
> >> > Certificate chain
> >> > 0 s:/CN=*.xda-developers.com
> >> > i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
> >> ...
> >>
> >> > ---
> >> > Server certificate
> >> > subject=/CN=*.xda-developers.com
> >> > issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
> >> > ---
> >> > No client certificate CA names sent
> >> > Peer signing digest: SHA512
> >> > Server Temp Key: ECDH, P-256, 256 bits
> >> > ---
> >> > SSL handshake has read 2067 bytes and written 302 bytes
> >> > Verification error: unable to verify the first certificate
> >>
> >> >
> >> > Ive found the intermediate bundle from RapidSS, and added it to my
> >> existing
> >> > pem bundle...no change
> >>
> >> You need to locate the root CA and/or intermediate CA certificates used
> >> to sign the domain servers certificate.
> >>
> >> You then need to identify *why* they are not being trusted by your OS
> >> library.
> >>
> >> Be sure to determine whether the CA which is missing is actually
> >> trustworthy before adding it to your trusted set. More than a few of the
> >> CA which are around are not trusted because they have been hacked or
> >> caught signing forged certificates they should not have.
> >>
> >>
> >> > Added as a separate pem i.e. sslproxy_foreign_intermediate_certs
> >> > /cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem...no change
> >> >
> >> > My sslbump related config lines are:
> >> >
> >> > http_port 127.0.0.1:3128 ssl-bump generate-host-certificates=on
> >> > dynamic_cert_mem_cache_size=10MB cert=/cygdrive/e/Squid/etc/
> ssl/myCA.pem
> >>
> >> > capath=/cygdrive/e/Squid/etc/ssl
> >> > cafile=/cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem
> >> > tls-dh=/cygdrive/e/Squid/etc/ssl/dhparam.pem
> >> > options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE
> >>
> >> PS. EECDH will not work unless you configure a curve name in the
> >> tls-dh= option. Just having dhparam.pem alone will only enable the less
> >> secure DH ciphers.
> >>
> >> Amos
> >>
> >> _______________________________________________
> >> squid-users mailing list
> >> [hidden email] <http:///user/SendEmail.jtp?type=node&node=4681642&i=0>
> >> http://lists.squid-cache.org/listinfo/squid-users
> >>
> >>
> >> ------------------------------
> >> If you reply to this email, your message will be added to the discussion
> >> below:
> >> http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-Bump-
> >> and-Certificate-issue-RapidSSL-Intermediate-Cert-tp4681635p4681642.html
> >> To unsubscribe from SSL Bump and Certificate issue - RapidSSL
> >> Intermediate Cert, click here
> >> <http://squid-web-proxy-cache.1019090.n4.nabble.com/
> template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4681635&code=
> YWRyaWFuLm0ubWlsbGVyQGdtYWlsLmNvbXw0NjgxNjM1fDE5ODY3MjIyMDI=>
> >> .
> >> NAML
> >> <http://squid-web-proxy-cache.1019090.n4.nabble.com/
> template/NamlServlet.jtp?macro=macro_viewer&id=instant_
> html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.
> BasicNamespace-nabble.view.web.template.NabbleNamespace-
> nabble.view.web.template.NodeNamespace&breadcrumbs=
> notify_subscribers%21nabble%3Aemail.naml-instant_emails%
> 21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
> >>
> >
>
>
> --
> I hate to advocate *drugs*, *alcohol*,* violence *or
> *insanity* to anyone, *but* they've *always* worked for* me*
>
> - Hunter S. Thompson
>
>
>
>
> --
> View this message in context: http://squid-web-proxy-cache.
> 1019090.n4.nabble.com/SSL-Bump-and-Certificate-issue-
> RapidSSL-Intermediate-Cert-tp4681635p4681646.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
>
>
> ------------------------------
>
> Message: 5
> Date: Wed, 1 Mar 2017 18:59:08 -0800 (PST)
> From: stylemessiah <adrian.m.miller at gmail.com>
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] SSL Bump and Certificate issue - RapidSSL
> Intermediate Cert
> Message-ID:
> <CAOLOQx1-wRQ4RZcTjg6CqAT-mYyaBu-nCaPNkYFg4tW66E=F+w@
> mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> Decided to fiddle with it one last time....
>
> If i change my cipher entries from
>
> EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:
> EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:
> EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:MEDIUM:!RC4:!aNULL:!
> eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>
> to
>
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:
> DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-
> RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-
> AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-
> RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:
> ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-
> SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:
> AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!
> EXPORT:!DES:!MD5:!PSK:!RC4
>
> I get content from dl.xda-developers.com just fine
>
> But i wont pretend i understand the cipher chain, or whether the change is
> a good thing
>
>
> On 2 March 2017 at 13:01, Adrian Miller <adrian.m.miller at gmail.com> wrote:
>
> > >That command you used does not send data through the proxy. So that
> > >confirms that the servers TLS is broken in a way unrelated to Squid.
> >
> > As that may be, when i go direct (sans proxy) i get thumbnails...no
> issues
> > Toggle the proxy back on and no thumbnails, and opening an image link
> > gives the
> > error initially reported.
> >
> > (71) Protocol error (TLS code:
> > X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
> >
> > SSL Certficate error: certificate issuer (CA) not known:
> > /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
> >
> > So both Ie and FF will just load anything from dl.xda-developers.com and
> > not
> > register an issue, but squid will refuse to load the content and generate
> > the error
> >
> > >You need to locate the root CA and/or intermediate CA certificates used
> > >to sign the domain servers certificate.
> >
> > >You then need to identify *why* they are not being trusted by your OS
> > >library.
> >
> > >Be sure to determine whether the CA which is missing is actually
> > >trustworthy before adding it to your trusted set. More than a few of the
> > >CA which are around are not trusted because they have been hacked or
> > >caught signing forged certificates they should not have.
> >
> > I aalways learn something when youre silly enough to reply :)
> >
> > When i ran dl.xda-developers.com through ssllabs (thanks google), it
> gave
> > me a less than glowing report, including
> > an incomplete cert chain (i say that like i understand it :) ) or as it
> > put it:
> >
> > This server is vulnerable to the OpenSSL CCS vulnerability
> (CVE-2014-0224)
> > <https://community.qualys.com/blogs/securitylabs/2014/06/13/
> ssl-pulse-49-vulnerable-to-cve-2014-0224-14-exploitable>
> > and exploitable. Grade set to F.
> > This server is vulnerable to the OpenSSL Padding Oracle vulnerability
> > (CVE-2016-2107)
> > <https://blog.cloudflare.com/yet-another-padding-oracle-in-
> openssl-cbc-ciphersuites/>
> > and insecure. Grade set to F.
> > This server accepts RC4 cipher, but only with older browsers. Grade
> capped
> > to B. MORE INFO »
> > <https://community.qualys.com/blogs/securitylabs/2013/03/19/
> rc4-in-tls-is-broken-now-what>
> > This server's certificate chain is incomplete. Grade capped to B.
> >
> > Full report here for the curious: https://globalsign.ssllabs.
> > com/analyze.html?d=dl.xda-developers.com&hideResults=on
> >
> > For a few thumbnails im not going to torture myself, maybe ill send the
> > forum admin a note instead :)
> >
> > >PS. EECDH will not work unless you configure a curve name in the
> > >tls-dh= option. Just having dhparam.pem alone will only enable the less
> > >secure DH ciphers.
> >
> > I did add a curve to the tls-dh param, im guessing tis correct, little
> > info on which one to use (grabbing the list from my local openssl had me
> > going what the hell)
> >
> > tls-dh=prime256v1:/cygdrive/e/Squid/etc/ssl/dhparam.pem
> >
> > Note: this made no difference whatsoever with my issue
> >
> > Cheers,
> >
> > Adrian Miller
> >
> >
> >
> > On 2 March 2017 at 04:08, Adrian Miller <adrian.m.miller at gmail.com>
> wrote:
> >
> >> Thanks Amos for the info, appreciate your tireless assistance for us
> >> numpties :)
> >>
> >> On 2 Mar. 2017 4:06 am, "Amos Jeffries [via Squid Web Proxy Cache]" <
> >> ml-node+s1019090n4681642h47 at n4.nabble.com> wrote:
> >>
> >>> On 1/03/2017 4:58 a.m., stylemessiah wrote:
> >>>
> >>> > This is driving me nuts, its the only issue ive found running ssl
> bump
> >>> on my
> >>> > home network for eons
> >>> >
> >>> > I cant see image thumbnails on xda-developers...
> >>> >
> >>> > When i access a thread with them, i get text links, not thumbnails,
> >>> and if i
> >>> > click on the links i get the following:
> >>> >
> >>> >
> >>> > (71) Protocol error (TLS code:
> >>> > X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
> >>> >
> >>> > SSL Certficate error: certificate issuer (CA) not known:
> >>> > /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
> >>> >
> >>> > I figured out by googling how to (i hope) trace the problem
> >>> certificate via
> >>> > s_client:
> >>> >
> >>> >
> >>> > OpenSSL> s_client -showcerts -verify 32 -connect
> >>> dl.xda-developers.com:443
> >>> > verify depth is 32
> >>> > CONNECTED(0000012C)
> >>> > depth=0 CN = *.xda-developers.com
> >>> > verify error:num=20:unable to get local issuer certificate
> >>> > verify return:1
> >>> > depth=0 CN = *.xda-developers.com
> >>> > verify error:num=21:unable to verify the first certificate
> >>> > verify return:1
> >>>
> >>> That command you used does not send data through the proxy. So that
> >>> confirms that the servers TLS is broken in a way unrelated to Squid.
> >>>
> >>>
> >>>
> >>> > ---
> >>> > Certificate chain
> >>> > 0 s:/CN=*.xda-developers.com
> >>> > i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
> >>> ...
> >>>
> >>> > ---
> >>> > Server certificate
> >>> > subject=/CN=*.xda-developers.com
> >>> > issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
> >>> > ---
> >>> > No client certificate CA names sent
> >>> > Peer signing digest: SHA512
> >>> > Server Temp Key: ECDH, P-256, 256 bits
> >>> > ---
> >>> > SSL handshake has read 2067 bytes and written 302 bytes
> >>> > Verification error: unable to verify the first certificate
> >>>
> >>> >
> >>> > Ive found the intermediate bundle from RapidSS, and added it to my
> >>> existing
> >>> > pem bundle...no change
> >>>
> >>> You need to locate the root CA and/or intermediate CA certificates used
> >>> to sign the domain servers certificate.
> >>>
> >>> You then need to identify *why* they are not being trusted by your OS
> >>> library.
> >>>
> >>> Be sure to determine whether the CA which is missing is actually
> >>> trustworthy before adding it to your trusted set. More than a few of
> the
> >>> CA which are around are not trusted because they have been hacked or
> >>> caught signing forged certificates they should not have.
> >>>
> >>>
> >>> > Added as a separate pem i.e. sslproxy_foreign_intermediate_certs
> >>> > /cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem...no change
> >>> >
> >>> > My sslbump related config lines are:
> >>> >
> >>> > http_port 127.0.0.1:3128 ssl-bump generate-host-certificates=on
> >>> > dynamic_cert_mem_cache_size=10MB cert=/cygdrive/e/Squid/etc/
> ssl/myCA.pem
> >>>
> >>> > capath=/cygdrive/e/Squid/etc/ssl
> >>> > cafile=/cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem
> >>> > tls-dh=/cygdrive/e/Squid/etc/ssl/dhparam.pem
> >>> > options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE
> >>>
> >>> PS. EECDH will not work unless you configure a curve name in the
> >>> tls-dh= option. Just having dhparam.pem alone will only enable the less
> >>> secure DH ciphers.
> >>>
> >>> Amos
> >>>
> >>> _______________________________________________
> >>> squid-users mailing list
> >>> [hidden email] <http:///user/SendEmail.jtp?type=node&node=4681642&i=0>
> >>> http://lists.squid-cache.org/listinfo/squid-users
> >>>
> >>>
> >>> ------------------------------
> >>> If you reply to this email, your message will be added to the
> discussion
> >>> below:
> >>> http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-Bump-
> >>> and-Certificate-issue-RapidSSL-Intermediate-Cert-
> tp4681635p4681642.html
> >>> To unsubscribe from SSL Bump and Certificate issue - RapidSSL
> >>> Intermediate Cert, click here
> >>> <http://squid-web-proxy-cache.1019090.n4.nabble.com/
> template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4681635&code=
> YWRyaWFuLm0ubWlsbGVyQGdtYWlsLmNvbXw0NjgxNjM1fDE5ODY3MjIyMDI=>
> >>> .
> >>> NAML
> >>> <http://squid-web-proxy-cache.1019090.n4.nabble.com/
> template/NamlServlet.jtp?macro=macro_viewer&id=instant_
> html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.
> BasicNamespace-nabble.view.web.template.NabbleNamespace-
> nabble.view.web.template.NodeNamespace&breadcrumbs=
> notify_subscribers%21nabble%3Aemail.naml-instant_emails%
> 21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
> >>>
> >>
> >
> >
> > --
> > I hate to advocate *drugs*, *alcohol*,* violence *or
> > *insanity* to anyone, *but* they've *always* worked for* me*
> >
> > - Hunter S. Thompson
> >
>
>
>
> --
> I hate to advocate *drugs*, *alcohol*,* violence *or
> *insanity* to anyone, *but* they've *always* worked for* me*
>
> - Hunter S. Thompson
>
>
>
>
> --
> View this message in context: http://squid-web-proxy-cache.
> 1019090.n4.nabble.com/SSL-Bump-and-Certificate-issue-
> RapidSSL-Intermediate-Cert-tp4681635p4681647.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
> ------------------------------
>
> End of squid-users Digest, Vol 31, Issue 3
> ******************************************
>
--
I hate to advocate *drugs*, *alcohol*,* violence *or
*insanity* to anyone, *but* they've *always* worked for* me*
- Hunter S. Thompson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170302/50651c8c/attachment-0001.html>
More information about the squid-users
mailing list