On 2024-04-18 04:13, Rauch, Mario wrote:
We have created a DER version of the PEM certificate which Squid uses
and imported this into client certificate store using script like this:
certmgr /add DN_SIGNATOR_CA.der /r localMachine /s root
DN_SIGNATOR_CA.der is the self signed certificate
There is no practical way for me to verify that the above steps have the
desired result. However, _you_ can verify that by, for example, using
OpenSSL s_server configured with a certificate signed by DN_SIGNATOR_CA.
Does the client trust that test server?
Can you verify that your client is getting a certificate signed by
DN_SIGNATOR_CA? Depending on TLS version, it may be possible to do that
using Wireshark or a similar packet capture analysis tool. If you can
run OpenSSL s_client or a similar test client, it can also tell you what
certificate(s) it is getting from Squid.
Maybe there must be some additional or changed setting in config from
3.5 > 6.8 Squid version?
Lots of things changed since Squid v3. Others may be able to guide you
through those changes, but I cannot. That is why I am focusing on
solving your problem in v6 (rather than trying to figure out what change
triggered that problem).
As I wrote on old server with Squid 3.5 and same certificate it worked.
Should I attach both config files?
Personally, I am not interested in Squid v3 configuration. Seeing your
ssl_bump rules for v6 may be useful (especially if you know for sure
which rules have matched for the test transaction), but I would _start_
by checking that Squid is sending the certificate(s) you think it is
sending.
HTH,
Alex.
*Von:*squid-users *Im
Auftrag von *Alex Rousskov
*Gesendet:* Mittwoch, 17. April 2024 19:53
*An:* squid-users@lists.squid-cache.org
*Betreff:* Re: [squid-users] Squid 6.8 SSL_BUMP TLS Error
On 2024-04-17 09: 07, Rauch, Mario wrote: > We are receiving following
errors when clients > want to connect to specific website using ssl bump
feature and self > signed certificate: > > 2024/04/17 14: 55: 15 kid1|
ERROR: failure
On 2024-04-17 09:07, Rauch, Mario wrote:
We are receiving following errors when clients
want to connect to specific website using ssl bump feature and self
signed certificate:
2024/04/17 14:55:15 kid1| ERROR: failure while accepting a TLS
connection on conn275 local=185.229.91.169:3128
remote=81.217.86.125:63673 FD 16 flags=1:
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
Does somebody know what the problem could be?
$ openssl errstr A000418
error:0A000418:SSL routines::tlsv1 alert unknown ca
Looks like the client does not trust Squid certificate and tells Squid
about that lack of trust via a TLS alert. Did you configure the client
to trust the certificate your Squid is using for bumping client connections?
HTH,
Alex.
With old Squid 3.5 it worked with almost same config and certificate.
___
squid-users mailing list
squid-users@lists.squid-cache.org <mailto:squid-users@lists.squid-cache.org>
https://urldefense.com/v3/__https://lists.squid-cache.org/listinfo/squid-users__;!!Gb9UCRAl!8v8DHhzXtUPSxAheCy_Rh2E-Sywz_Z-_afBDDwJUCCJ0ojG5KeBK_73nBnc3Uo6bz9cIuzHlHwrxDZNznVMO1E0k3oPcDpH5ysNH$
<https://urldefense.com/v3/__https:/lists.squid-cache.org/listinfo/squid-users__;!!Gb9UCRAl!8v8DHhzXtUPSxAheCy_Rh2E-Sywz_Z-_afBDDwJUCCJ0ojG5KeBK_73nBnc3Uo6bz9cIuzHlHwrxDZNznVMO1E0k3oPcDpH5ysNH$>
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
