Re: [squid-users] 3.1.15 squid report ERR_SECURE_CONNECT_FAIL on peer with self-signed cert

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 03 Mar 2012 14:03:41 +1300

On 3/03/2012 7:57 a.m., Yucong Sun (叶雨飞) wrote:
> Hi,
>
> I've been trying to use a SSL connection to an parent squid proxy, and
> the child squid always fails even I specifically asked it to stop
> verifying stuff

The child verifying the parent? or the parent verifying the child?
SSL is designed not to allow problems to go unseen, so validation
happens at both ends. You can only control what Squid (child) verifies
from squid.conf.

>
> here's the relevant config on child
>
> sslproxy_cert_error allow all
This makes Squid completely ignore all server errors when negotiating TLS.
You should not need it unless the server certificate is malformed.

> sslproxy_flags DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN

These are for controlling the DIRECT access TLS connections.

> cache_peer x.x.x.x parent 8443 0 no-digest no-query default ssl
> sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN,NO_DEFAULT_CA
> sslcert=ssl.pem sslkey=ssl.key

This is what is affecting the peer.

If we assume your ssl.pem and ssl.key are valid, it could still be the
peer rejecting them.

>
> and this appears in the cache.log
>
> 2012/03/03 02:50:51| fwdNegotiateSSL: Error negotiating SSL connection
> on FD 11: error:00000000:lib(0):func(0):reason(0) (5/-1/104)
>
> I've verified the parent side works fine, in fact, the server side has
> been implemented using stunnel and it works fine if I setup stunnel in
> local and tunnel squid through it.

Same ssl.pem/ssl.key certificates used by that test stunnel and this Squid?

Second question is whether you need ssl.pem/ssl.key at all?
  SSL auto-generates random client certificates as needed if you only
specify "ssl" option to cache_peer.
  It is common to only specify cache_peer options "ssl
sslflags=DONT_VERIFY_PEER " to have an auto-generated client
certificate, and ignore self-signed certificates from the peer.

Amos
Received on Sat Mar 03 2012 - 01:03:49 MST

This archive was generated by hypermail 2.2.0 : Sat Mar 03 2012 - 12:00:02 MST