On 20/09/2016 4:42 a.m., Hardik Dangar wrote:
> Hello,
>
> I am using squid 3.5.12(detailed version info is below) on Ubuntu 16.04.1
> LTS server. My squid config is at, http://pastebin.com/raw/b8RZ67u9
>
> I have configured squid as intercept proxy bumping all SSL https
> connections. Setup is working fine for many things like browsing,
> even on command line like wget i can download via https as i have installed
> root certificate within my client os.
>
> My issue is whenever i try to add extra repository via command, i.e.
> sudo add-apt-repository ppa:ondrej/php
> command fails with output "Cannot add PPA: 'ppa:~ondrej/ubuntu/php'.ERROR:
> '~ondrej' user or team does not exist." and in squid's cache and access.log
> following entries can be located for this request,
>
> ==> /var/log/squid/access.log <==
> 1474302162.378 439 192.168.1.66 TAG_NONE/200 0 CONNECT 91.189.89.223:443
> - ORIGINAL_DST/91.189.89.223 -
>
> ==> /var/log/squid/cache.log <==
> 2016/09/19 21:52:42 kid1| Error negotiating SSL connection on FD 21:
> error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (1/0)
> 2016/09/19 21:52:42 kid1| hold write on SSL connection on FD 22
>
> ==> /var/log/squid/access.log <==
> 1474302162.885 403 192.168.1.66 TAG_NONE/200 0 CONNECT 91.189.89.223:443
> - ORIGINAL_DST/91.189.89.223 -
>
> ==> /var/log/squid/cache.log <==
> 2016/09/19 21:52:42 kid1| Error negotiating SSL connection on FD 21:
> error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (1/0)
>
> in the above output 192.168.1.66 is my client requesting that request and
> as you can see in cache.log there is certificate negotiation error. I have
> tried to fiddle with all options provided at http://wiki.squid-cache.org/
> ConfigExamples/Intercept/SslBumpExplicit but it seems i am out of luck
> after almost half of my day battling this issue.
>
> Can someone tell me they are successful with this issue? if so can you
> share your squid.conf relevant section?
>
> $ squid -v
> Squid Cache: Version 3.5.12
Ubuntu Squid package does not build with SSL functionality.
When re-building your Squid with SSL-Bump features it is important to
always use teh very latest Squid release. SSL/TLS and bumping are part
of an ongoing arms race situation. Things are constantly changing and
software from as little as a year ago is unlikly to work 100% well with
intercepting ('bumping') encryption from today.
First thing to try is to rebuild with squid 3.5.20 or .21 and see if the
problem remains.
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
