Aha,
20.07.2017 3:04, Cherukuri, Naresh пишет: > > Yuri, > > > > I am sorry I didn’t get you I already installed certificate on all > clients(trusted root certificate authorities). You want me install > proxy public key also on clients, if so were should I put the proxy > public key. Below is my squid.conf file. > > > > Squid.conf > > key=/etc/squid/pctysquid2sslcerts/pctysquid2prod.pkey \ proxy ca > public key?? > This is proxy private key AFAIK. > > cert=/etc/squid/pctysquid2sslcerts/pctysquid2prod.crt \(installed > certificate on IE all clients as a trusted root certificate authorities) > Yes, if it installed into clients - this is ok. So. The only reason I can see - proxy can't see OpenSSL CA's bundle. To make it work you should add to your squid's config one of this: # TAG: sslproxy_cafile # file containing CA certificates to use when verifying server # certificates while proxying https:// URLs #Default: # none # TAG: sslproxy_capath # directory containing CA certificates to use when verifying # server certificates while proxying https:// URLs #Default: # none Proxy also should know about CA's uses for connection verification. > > > > > *From:*Yuri [mailto:yvoi...@gmail.com] > *Sent:* Wednesday, July 19, 2017 4:55 PM > *To:* Cherukuri, Naresh; squid-users@lists.squid-cache.org > *Subject:* Re: [squid-users] Squid Version 3.5.20 Any Ideas > > > > No. Only proxy's CA public key. Private should remains on proxy only. > > > > 20.07.2017 2:49, Cherukuri, Naresh пишет: > > Thanks Yuri for quick turnover! > > > > We inly installed root certificate on all clients. We didn’t > install proxy CA’s public key on clients. So you suggestion fix > that we need to install both certificate and proxy ca’s public key > on clients. > > > > Thanks, > > Naresh > > > > *From:*squid-users > [mailto:squid-users-boun...@lists.squid-cache.org] *On Behalf Of *Yuri > *Sent:* Wednesday, July 19, 2017 2:25 PM > *To:* squid-users@lists.squid-cache.org > <mailto:squid-users@lists.squid-cache.org> > *Subject:* Re: [squid-users] Squid Version 3.5.20 Any Ideas > > > > One out of two. Either the Squid does not see the OpenSSL/system > root CAs bundle, or the proxy CA's public key is not installed in > the clients. It's all. > > > > 19.07.2017 23:30, Walter H. пишет: > > Hello, > > this seems not to be the problem, as the error messages are in > cache.log, which is not a browser problem ... > > the question: are the SSL bumped sites in intranet, which use > a self signed CA cert itself, which squid doesn't know? > > On 19.07.2017 17:36, Yuri wrote: > > http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit > > http://i.imgur.com/A153C7A.png > > > > 19.07.2017 21:34, Cherukuri, Naresh пишет: > > Hi All, > > > > I installed Squid version 3.5.20 on RHEL 7 and generated > self-signed CA certificates, My users are complaining > about certificate errors. When I looked at cache.log I see > so many error messages like below. Below is my squid.conf > file. Any ideas how to address below errors. > > > > > > > Cache.log > > > > 2017/07/18 16:05:34 kid1| Error negotiating SSL connection > on FD 689: error:14094416:SSL > routines:SSL3_READ_BYTES:sslv3 alert certificate unknown > (1/0) > > 2017/07/18 16:05:34 kid1| Error negotiating SSL connection > on FD 1114: error:14094416:SSL > routines:SSL3_READ_BYTES:sslv3 alert certificate unknown > (1/0) > > 2017/07/18 16:05:37 kid1| Error negotiating SSL connection > on FD 146: error:14094416:SSL > routines:SSL3_READ_BYTES:sslv3 alert certificate unknown > (1/0) > > 2017/07/18 16:05:41 kid1| Error negotiating SSL connection > on FD 252: error:14094416:SSL > routines:SSL3_READ_BYTES:sslv3 alert certificate unknown > (1/0) > > 2017/07/18 16:05:41 kid1| Error negotiating SSL connection > on FD 36: error:14094416:SSL > routines:SSL3_READ_BYTES:sslv3 alert certificate unknown > (1/0) > > > > > > > _______________________________________________ > > squid-users mailing list > > squid-users@lists.squid-cache.org > <mailto:squid-users@lists.squid-cache.org> > > http://lists.squid-cache.org/listinfo/squid-users > > > > >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
