Hi,
I'm new in Squid configuration and I have problems with HTTPS sites. I
searched a lot but I didn't find a solution.
I can't open any https site and I have different error messages in different
browsers:
- in firefox www.gmail.com returns ssl_error_bad_cert_domain
- in chrome www.gmail.com returns "The site's security certificate is
not trusted!"
- in firefox www.facebook.com returns "The page isn't redirecting
properly"
- in chrome www.facebook.com returns "This webpage has a redirect loop"
(Error 310 net:: ERR_TO_MANY_REDICTS)
In cache.log there are these messages:
/2013/02/19 16:02:15| clientNegotiateSSL: Error negotiating SSL
connection on FD 16: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca (1/0)
2013/02/19 16:02:15| clientNegotiateSSL: Error negotiating SSL
connection on FD 16: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca (1/0)
2013/02/19 16:02:15| clientNegotiateSSL: Error negotiating SSL
connection on FD 16: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca (1/0) /
Squid version is 3.1.14, rebuilt with --enable-ssl .
/$\> squid3 -v
Squid Cache: Version 3.1.14
configure options: '--build=i686-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
'--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--disable-silent-rules'
'--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
'--mandir=/usr/share/man' '--with-cppunit-basedir=/usr' '--enable-inline'
'--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-underscores' '--enable-icap-client'
'--enable-follow-x-forwarded-for'
'--enable-auth=basic,digest,ntlm,negotiate'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM'
'--enable-ntlm-auth-helpers=smb_lm,'
'--enable-digest-auth-helpers=ldap,password'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
'--enable-arp-acl' '--enable-esi' '--enable-zph-qos' '--enable-ssl'
'--disable-translation' '--with-logdir=/var/log/squid3'
'--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536'
'--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter'
'build_alias=i686-linux-gnu' 'CFLAGS=-g -O2 -g -O2 -Wall'
'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS=' 'CXXFLAGS=-g -O2 -g -O2
-Wall' --with-squid=/home/lascaro/squid3-3.1.14 /
My squid.conf is:
/https_port 8081 transparent cert=/usr/lasc/CertAuth/squid.crt
key=/usr/lasc/CertAuth/squid.key
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl EEE-PC src 192.9.200.22
acl SSL_ports port 443
acl SSL_ports port 8081
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # httpss
acl Safe_ports port 8081 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow EEE-PC
http_access allow localhost
http_access deny all
http_port 8080 transparent
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320 /
My ip-table config is:
/ -t nat -A PREROUTING -i LAN -p tcp --dport 443 -s ! 192.9.200.2 -j
REDIRECT --to-port 8081
-t filter -A FORWARD -s 192.9.200.0/24 -d 192.9.200.2 -i LAN -o LAN -p
tcp --dport 8081 -j ACCEPT /
For ssl certificate I used this
<http://shirker.blog.com/2011/11/10/generate-ssl-certificate-for-squid/>
page.
How can I solve my problem?
Thank you very much!
Skylab
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/SQUID3-and-https-Error-negotiating-SSL-connection-tp4658592.html
Sent from the Squid - Users mailing list archive at Nabble.com.
