[squid-users] Sharepoint SSL Error from Dale J. Rodriguez on 2012-01-12 (squid-users)

From: Dale J. Rodriguez <drodriguez_at_ftmsinc.com>
Date: Thu, 12 Jan 2012 09:27:16 -0500

Hello World. Noob Here.

I have successfully setup squid as a reverseproxy for port 80, however
my attempts to set up the same server to point to a https server on
sharepoint have failed. All I get is the authentication box, and the
following error message in cache.log:

fwdNegotiateSSL: Error negotiating SSL connection on FD 11:
error:00000000:lib(0):func(0):reason(0) (5/-1/104)

The only caveat I have is that I am using an SSL cert that was assigned
to another IP address, do you have to have matching SSL certs for this
to work properly?

Here is my squid config:

visible_hostname squid.localhost

always_direct allow all

ssl_bump allow all

pipeline_prefetch off

http_port 80 defaultsite=1.2.3.60

https_port 443 cert=/usr/ssl/lol.cer key=/usr/ssl/llol2.server.pem
connection-auth=on defaultsite=1.2.3.11

cache_peer 1.2.3.60 parent 80 0 no-query originserver no-digest
login=PASS name=bi_iis

cache_peer 1.2.3.11 parent 443 0 connection-auth=on no-query
originserver login=PASSTHRU ssl sslflags=DONT_VERIFY_PEER
name=sharepoint

acl bi_server dst 1.2.3.60

acl sharepoint dst 1.2.3.11

acl lan1 src 1.2.3.0/32

acl lan2 src 1.2.3.0/32

acl vpn src 5.6.7.0/32

acl externalip src 2.3.4.0/32

cache_peer_access bi_iis allow bi_server

cache_peer_access bi_iis allow lan1

cache_peer_access bi_iis allow lan2

cache_peer_access bi_iis allow vpn

cache_peer_access bi_iis allow externalip

cache_peer_access bi_iis deny all

cache_peer_access sharepoint allow bi_server

cache_peer_access sharepoint allow lan1

cache_peer_access sharepoint allow lan2

cache_peer_access sharepoint allow vpn

cache_peer_access sharepoint allow externalip

cache_peer_access sharepoint deny all

http_access allow lan1

http_access allow lan2

http_access allow vpn

http_access allow externalip

#negative dns entry

acl localhost src 127.0.0.1/32

acl manager proto cache_object

acl Safe_ports port 80 # httpacl Safe_ports port 443 #https

acl CONNECT method CONNECT

acl POST method POST

never_direct allow CONNECT

never_direct allow POST

never_direct allow ALL

sslproxy_flags DONT_VERIFY_PEER

cache_mgr a_at_lol.com

http_access allow manager localhost

http_access allow lan1

http_access allow lan2

http_access allow vpn

http_access allow externalip

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT

#http_access deny all

Any help is appreciated thank you.

Dale J. Rodriguez
Received on Thu Jan 12 2012 - 14:27:23 MST

This archive was generated by hypermail 2.2.0 : Sat Jan 14 2012 - 12:00:03 MST