Re: [squid-users] SQUID3 and https: Error negotiating SSL connection
On Feb 21, 2013, at 2:04 AM, skylab wrote: > Hi, thank you for your replies. > How can I verify my ca-certificate list? And how can I update it? > Thank you very much. > > Skylab It depends on your O/S. Linux and *BSDs keep the certs updated through packages. If you have Redhat/CentOS, check the ca-certificates RPM. You might have to set sslproxy_cafile to /etc/ssl/certs/ca-bundle.crt If you have Debian/Ubuntu/etc, check the ca-certificates DEB. You might have to set sslproxy_capath to /etc/ssl/certs For FreeBSD, check the package ca_root_nss. Set sslproxy_cafile to /usr/local/share/certs/ca-root-nss.crt HTH, Guy
Re: [squid-users] SQUID3 and https: Error negotiating SSL connection
On 21/02/2013 11:11 a.m., Guy Helmer wrote: On Feb 20, 2013, at 11:30 AM, skylab wrote: Hi, I'm new in Squid configuration and I have problems with HTTPS sites. I searched a lot but I didn't find a solution. I can't open any https site and I have different error messages in different browsers: - in firefox www.gmail.com returns ssl_error_bad_cert_domain - in chrome www.gmail.com returns "The site's security certificate is not trusted!" - in firefox www.facebook.com returns "The page isn't redirecting properly" - in chrome www.facebook.com returns "This webpage has a redirect loop" (Error 310 net:: ERR_TO_MANY_REDICTS) In cache.log there are these messages: /2013/02/19 16:02:15| clientNegotiateSSL: Error negotiating SSL connection on FD 16: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) 2013/02/19 16:02:15| clientNegotiateSSL: Error negotiating SSL connection on FD 16: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) 2013/02/19 16:02:15| clientNegotiateSSL: Error negotiating SSL connection on FD 16: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) / Because of the "unknown ca" errors, it seems likely that you need to set sslproxy_cafile and/or sslproxy_capath so Squid can validate the server SSL certificates. Guy And/or the openSSL ca-certificates list is outdated and needs an upgrade. Amos
Re: [squid-users] SQUID3 and https: Error negotiating SSL connection
On Feb 20, 2013, at 11:30 AM, skylab wrote: > Hi, > I'm new in Squid configuration and I have problems with HTTPS sites. I > searched a lot but I didn't find a solution. > I can't open any https site and I have different error messages in different > browsers: >- in firefox www.gmail.com returns ssl_error_bad_cert_domain >- in chrome www.gmail.com returns "The site's security certificate is > not trusted!" >- in firefox www.facebook.com returns "The page isn't redirecting > properly" >- in chrome www.facebook.com returns "This webpage has a redirect loop" > (Error 310 net:: ERR_TO_MANY_REDICTS) > > In cache.log there are these messages: >/2013/02/19 16:02:15| clientNegotiateSSL: Error negotiating SSL > connection on FD 16: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert > unknown ca (1/0) >2013/02/19 16:02:15| clientNegotiateSSL: Error negotiating SSL > connection on FD 16: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert > unknown ca (1/0) >2013/02/19 16:02:15| clientNegotiateSSL: Error negotiating SSL > connection on FD 16: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert > unknown ca (1/0) / Because of the "unknown ca" errors, it seems likely that you need to set sslproxy_cafile and/or sslproxy_capath so Squid can validate the server SSL certificates. Guy