[squid-users] Squid 6.8 SSL_BUMP TLS Error
Alex Rousskov
rousskov at measurement-factory.com
Thu Apr 18 21:16:39 UTC 2024
On 2024-04-18 04:13, Rauch, Mario wrote:
> We have created a DER version of the PEM certificate which Squid uses
> and imported this into client certificate store using script like this:
>
> certmgr /add DN_SIGNATOR_CA.der /r localMachine /s root
>
> DN_SIGNATOR_CA.der is the self signed certificate
There is no practical way for me to verify that the above steps have the
desired result. However, _you_ can verify that by, for example, using
OpenSSL s_server configured with a certificate signed by DN_SIGNATOR_CA.
Does the client trust that test server?
Can you verify that your client is getting a certificate signed by
DN_SIGNATOR_CA? Depending on TLS version, it may be possible to do that
using Wireshark or a similar packet capture analysis tool. If you can
run OpenSSL s_client or a similar test client, it can also tell you what
certificate(s) it is getting from Squid.
> Maybe there must be some additional or changed setting in config from
> 3.5 > 6.8 Squid version?
Lots of things changed since Squid v3. Others may be able to guide you
through those changes, but I cannot. That is why I am focusing on
solving your problem in v6 (rather than trying to figure out what change
triggered that problem).
> As I wrote on old server with Squid 3.5 and same certificate it worked.
> Should I attach both config files?
Personally, I am not interested in Squid v3 configuration. Seeing your
ssl_bump rules for v6 may be useful (especially if you know for sure
which rules have matched for the test transaction), but I would _start_
by checking that Squid is sending the certificate(s) you think it is
sending.
HTH,
Alex.
> *Von:*squid-users <squid-users-bounces at lists.squid-cache.org> *Im
> Auftrag von *Alex Rousskov
> *Gesendet:* Mittwoch, 17. April 2024 19:53
> *An:* squid-users at lists.squid-cache.org
> *Betreff:* Re: [squid-users] Squid 6.8 SSL_BUMP TLS Error
>
> On 2024-04-17 09: 07, Rauch, Mario wrote: > We are receiving following
> errors when clients > want to connect to specific website using ssl bump
> feature and self > signed certificate: > > 2024/04/17 14: 55: 15 kid1|
> ERROR: failure
>
> On 2024-04-17 09:07, Rauch, Mario wrote:
>
>> We are receiving following errors when clients
>
>> want to connect to specific website using ssl bump feature and self
>
>> signed certificate:
>
>>
>
>> 2024/04/17 14:55:15 kid1| ERROR: failure while accepting a TLS
>
>> connection on conn275 local=185.229.91.169:3128
>
>> remote=81.217.86.125:63673 FD 16 flags=1:
>
>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>
>>
>
>> Does somebody know what the problem could be?
>
> $ openssl errstr A000418
>
> error:0A000418:SSL routines::tlsv1 alert unknown ca
>
> Looks like the client does not trust Squid certificate and tells Squid
>
> about that lack of trust via a TLS alert. Did you configure the client
>
> to trust the certificate your Squid is using for bumping client connections?
>
> HTH,
>
> Alex.
>
>> With old Squid 3.5 it worked with almost same config and certificate.
>
> _______________________________________________
>
> squid-users mailing list
>
> squid-users at lists.squid-cache.org <mailto:squid-users at lists.squid-cache.org>
>
> https://urldefense.com/v3/__https://lists.squid-cache.org/listinfo/squid-users__;!!Gb9UCRAl!8v8DHhzXtUPSxAheCy_Rh2E-Sywz_Z-_afBDDwJUCCJ0ojG5KeBK_73nBnc3Uo6bz9cIuzHlHwrxDZNznVMO1E0k3oPcDpH5ysNH$ <https://urldefense.com/v3/__https:/lists.squid-cache.org/listinfo/squid-users__;!!Gb9UCRAl!8v8DHhzXtUPSxAheCy_Rh2E-Sywz_Z-_afBDDwJUCCJ0ojG5KeBK_73nBnc3Uo6bz9cIuzHlHwrxDZNznVMO1E0k3oPcDpH5ysNH$>
>
More information about the squid-users
mailing list