[squid-users] FW: Encrypted browser-Squid connection errors
Alex Rousskov
rousskov at measurement-factory.com
Fri Oct 14 17:34:06 UTC 2022
On 10/14/22 10:32, LEMRAZZEQ, Wadie wrote:
> I tried to implement this on a dockerized Alpine, and a squid 5.5 with openssl module
FWIW, Squid v5.5 is unusable in many environments -- too many bugs. Use
v5.7 or later. I do not know whether one of those bugs are responsible
for the specific problem you are discussing though.
> in squid.conf, I have:
>
> ...
>
> http_port 3128
>
> https_port 3129 cert=/etc/squid/crt.pem key=/etc/squid/key.pem
OK.
> but when I request squid https port, I got this error every time, in
> cache.log:
_How_ do you "request squid https port"?
> ERROR: failure while accepting a TLS connection on conn77
> local=172.17.0.2:3129 remote=172.17.0.1:56608 FD 12 flags=1:
>
> connection: conn77 local=172.17.0.2:3129 remote=172.17.0.1:56608 FD 12 flags=1
>
> Error.cc(22) update: recent:
> ERR_SECURE_ACCEPT_FAIL/SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=1408F09B+TLS_IO_ERR=1
According to "openssl errstr", that OpenSSL error is:
error:1408F09B:SSL routines:ssl3_get_record:https proxy request
Most likely, the client is sending a plain text CONNECT request before
encrypting the TLS connection to the HTTPS proxy. In other words, the
client thinks it is talking to an HTTP proxy while you want it to think
that it is talking to an HTTPS proxy. For example,
* HTTP proxy: curl -x http://172.17.0.2:3128/ ... https://example.com
* HTTPS proxy: curl -x https://172.17.0.2:3129/ ... https://example.com
HTH,
Alex.
> ...
>
> I also tried this with squid 4.10 with gnutls module, in an Ubuntu 20.40
> environment, with the same squid.conf, and I got again a TLS error
>
> ...
>
> client_side.cc(2597) tlsAttemptHandshake: Error negotiating TLS on
> local=x.x.x.x:3129 remote=x.x.x.x:50874 FD 11 flags=1: Aborted by
> client: An unexpected TLS packet was received.
>
> ...
>
> I used for certificates, a self signed one, and a generated certificate
> signed by our CA, for both scenarios
>
> Also, I tried multiple https_port options (disable some SSL
> implementation, manipulation of client certificates...) but without success
More information about the squid-users
mailing list