[squid-users] SSL errors with Squid 3.5.27

Amos Jeffries squid3 at treenet.co.nz
Wed Jun 13 17:16:42 UTC 2018


On 13/06/18 07:54, Julian Perconti wrote:
>> Interesting.
>>
>> The main issue was that you configured only params for the Diffi-Helman (DH and DHE) ciphers - no >curve name. That meant your specified EEC* ciphers were disabled since they require a curve name as >well.
>>
>> Removing this option completely disables both DH and ECDH cipher types.
>> Leaving your proxy with only the RSA based ciphers.
>>
>> Amos
> 
> kid1| Error negotiating SSL on FD 60: error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed (1/-1/0)
> 
> Hi Amos,
> 
> I still have no look to connect with WhatsApp from iOS.
> 
> How do I can track this error?:
> 
> kid1| Error negotiating SSL on FD 60: error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed (1/-1/0)
> 
> I mean examine the FD, ...or.. what? How? Because from iOS i cant see any error, it just tries to connect indefinitely.

Yes. With "debug_options ALL,9" and a "grep --context=10 'FD nn'" f the
resulting cache.log for whatever the FD number is in the test after you
update the logging content. Some of those lines should show what is
happening on that FD, maybe some clues in there.


> 
> Some whatsapp/Facebook server with the command:
> 
> Openssl s_client -connect -showcerts x.x.x.x:443 
> 
> Does not shows any cert and establishes a connection with TLS 1.2...
> 
> Any idea?

Probably something you are not noticing, or think is irrelevant but
actually is.

Since you are hiding the details of what is going on we cannot replicate
and see for ourselves if there is any hint in those hidden results which
anyone with more knowledge might find.

Amos


More information about the squid-users mailing list