Hey,
First of all you need to know who is contacting and what is the other end of the connection. It’s possible that the certificate is invalid. If you do have the remote service/server name and ip address you can try to resolve this issue by “creating” a set of certificates your service can trust and update it using some kind of a git repository. I do not know how important is the order of the certificates since in some cases it does. An example of dumping a server certificate: openssl s_client -showcerts -connect google.com:443 </dev/null > 1.pem or true | openssl s_client -connect google.com:443 2>/dev/null | openssl x509 > certigicate.pem and to verify against the list of certificates you might try to run this: openssl verify -CAfile 1.pem certificate.pem should say: certificate.pem: OK Technically speaking, this is how many appliances work. Either they write their own TLS logic with black/white lists and many which use squid have their own privately maintained certificates list. It might look like a big thing but once you have your logic/algorithm you would be able to automate the concept. As a start point you can use the OS ca-certificates package and generate a local one. Some would choose it ignore errors with the certificate validation and it’s right to do until you will resolve the issue but this is only for very specific sites. My assumption is that it will affect only specific services and sites. If you want to resolve issues you can use some list of sites which you might want to override SSL-bump for until you will find the right solution. Eliezer ---- Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: [email protected] <mailto:[email protected]> From: DIXIT Ankit <[email protected]> Sent: Friday, September 25, 2020 4:22 PM To: Eliezer Croitor <[email protected]>; 'Squid Users' <[email protected]> Subject: RE: SSL issue on Squid version 4 after blacklisting Elizer/Team, Any help would be appreciated. Regards, Ankit Dixit|IS Cloud Team Eurostar International Ltd Times House | Bravingtons Walk | London N1 9AW Office: +44 (0)207 84 35550 (Extension– 35530) From: DIXIT Ankit Sent: Tuesday, September 15, 2020 1:24 PM To: Eliezer Croitor <[email protected] <mailto:[email protected]> >; 'Squid Users' <[email protected] <mailto:[email protected]> > Subject: SSL issue on Squid version 4 after blacklisting Subject changed Elizer/Team, Connecting with you again after we upgraded to Squid version 4. We have blacklisted the domain categories on Squid Proxy, but we are getting below exception in cache.log and due to this internet is not flowing from client servers via squid. This blacklist category is having thousands of blacklisted domains. kid1| Error negotiating SSL on FD 33: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0) kid1| Error negotiating SSL connection on FD 26: (104) Connection reset by peer Is there any specific ssl certificate, we need to configure? Or any other issue, you see here? Regards, Ankit Dixit|IS Cloud Team Eurostar International Ltd Times House | Bravingtons Walk | London N1 9AW Office: +44 (0)207 84 35550 (Extension– 35530) From: DIXIT Ankit Sent: Monday, July 6, 2020 8:50 AM To: Eliezer Croitor <[email protected] <mailto:[email protected]> >; 'Squid Users' <[email protected] <mailto:[email protected]> > Subject: RE: [squid-users] Squid memory consumption problem Elizer, SSL was failing for few applications but was working fine for other applications. So we reverted back to old version. I am not sure what ssl certificate dependency was there. Would be great, if you can suggest memory leak solutions in 3.12 version. Regards, Ankit Dixit|IS Cloud Team Eurostar International Ltd Times House | Bravingtons Walk | London N1 9AW Office: +44 (0)207 84 35550 (Extension– 35530) From: Eliezer Croitor <[email protected] <mailto:[email protected]> > Sent: Sunday, July 5, 2020 5:58 PM To: DIXIT Ankit <[email protected] <mailto:[email protected]> >; 'Squid Users' <[email protected] <mailto:[email protected]> > Cc: SETHI Konica <[email protected] <mailto:[email protected]> > Subject: RE: [squid-users] Squid memory consumption problem Hey, What happen with this issue? I am waiting for any input about this issue to understand with what I can try to help. Eliezer ---- Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: [email protected] <mailto:[email protected]> From: DIXIT Ankit [mailto:[email protected]] Sent: Tuesday, June 30, 2020 12:35 PM To: Eliezer Croitoru; Squid Users Cc: SETHI Konica Subject: RE: [squid-users] Squid memory consumption problem For your information, we have added below configurations but again same issue. tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE tls_outgoing_options cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS Regards, Ankit Dixit|IS Cloud Team Eurostar International Ltd Times House | Bravingtons Walk | London N1 9AW Office: +44 (0)207 84 35550 (Extension– 35530) From: DIXIT Ankit Sent: Tuesday, June 30, 2020 10:25 AM To: Eliezer Croitoru <[email protected] <mailto:[email protected]> >; Squid Users <[email protected] <mailto:[email protected]> > Cc: SETHI Konica <[email protected] <mailto:[email protected]> > Subject: RE: [squid-users] Squid memory consumption problem Eliezer, Clients are facing some SSL related issues after upgrade. I could see below error. Please suggest, its little urgent. quid[6706]: Error negotiating SSL connection on FD 167: error:00000001:lib(0):func(0):reason(1) (1/0) Jun 30 09:17:38 squid[6706]: Error parsing SSL Server Hello Message on FD 77 Jun 30 09:17:38 squid[6706]: Error negotiating SSL connection on FD 75: error:00000001:lib(0):func(0):reason(1) (1/0) Regards, Ankit Dixit|IS Cloud Team Eurostar International Ltd Times House | Bravingtons Walk | London N1 9AW Office: +44 (0)207 84 35550 (Extension– 35530) From: Eliezer Croitoru <[email protected] <mailto:[email protected]> > Sent: Tuesday, June 30, 2020 9:10 AM To: Squid Users <[email protected] <mailto:[email protected]> >; DIXIT Ankit <[email protected] <mailto:[email protected]> > Subject: RE: [squid-users] Squid memory consumption problem The first thing to do is look at: https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery It should clear couple doubts for you. Eliezer ---- Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: [email protected] <mailto:[email protected]> From: DIXIT Ankit <mailto:[email protected]> Sent: Tuesday, June 30, 2020 10:46 AM To: Eliezer Croitoru <mailto:[email protected]> ; Alex Rousskov <mailto:[email protected]> ; [email protected] <mailto:[email protected]> Subject: RE: [squid-users] Squid memory consumption problem Elizer, We installed Squid 4.12 on production server, amazon Linux 2, successfully but I could see below messages in the logs for SECURITY ALERT: Host header forgery detected. These are getting generated very frequently. Can we ignore this Or is it advised to suppress these alerts? kid2| SECURITY ALERT: on URL: 5-25-3-app.agent.datadoghq.com:443 <http://5-25-3-app.agent.datadoghq.com:443> 2020/06/30 07:41:29 kid1| SECURITY ALERT: Host header forgery detected on local=IP remote=IP FD 97 flags=33 (local IP does not match any domain IP) Regards, Ankit Dixit|IS Cloud Team Eurostar International Ltd Times House | Bravingtons Walk | London N1 9AW Office: +44 (0)207 84 35550 (Extension– 35530) _____ This email (including any attachments) is intended only for the addressee(s), is confidential and may be legally privileged. If you are not the intended recipient, do not use, disclose, copy, or forward this email. Please notify the sender immediately and then delete it. Eurostar International Limited and its affiliates ("EIL") do not accept any liability for action taken in reliance on this email. EIL makes no representation that this email is free of viruses and addressees should check this email for viruses. The comments or statements expressed in this email are not necessarily those of EIL. Eurostar International Ltd Times House, Bravingtons Walk, London N1 9AW Registered in England and Wales No. 2462001 _____ _____ This email (including any attachments) is intended only for the addressee(s), is confidential and may be legally privileged. If you are not the intended recipient, do not use, disclose, copy, or forward this email. Please notify the sender immediately and then delete it. Eurostar International Limited and its affiliates ("EIL") do not accept any liability for action taken in reliance on this email. EIL makes no representation that this email is free of viruses and addressees should check this email for viruses. The comments or statements expressed in this email are not necessarily those of EIL. Eurostar International Ltd Times House, Bravingtons Walk, London N1 9AW Registered in England and Wales No. 2462001 _____
_______________________________________________ squid-users mailing list [email protected] http://lists.squid-cache.org/listinfo/squid-users
