Re: [squid-users] Re: squid 3.1 - endless loop IIS webserver from Amos Jeffries on 2012-03-13 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 13 Mar 2012 21:58:40 +1300

On 13.03.2012 21:21, kadvar wrote:
> Hi,
>
> Hi, Thanks for that. I tried your recommendations and now I get this.
>
> 2012/03/13 12:11:25| clientNegotiateSSL: Error negotiating SSL
> connection on
> FD 18: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca
> (1/0)
> 2012/03/13 12:11:25| clientNegotiateSSL: Error negotiating SSL
> connection on
> FD 20: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca
> (1/0)
> 2012/03/13 12:11:27| clientNegotiateSSL: Error negotiating SSL
> connection on
> FD 18: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca
> (1/0)
>
> Adding ssl sslflags=NO_VERIFY_PEER to the cache_peer line gives:
>
> 2012/03/13 12:35:23| TCP connection to 192.168.124.169/443 failed
> 2012/03/13 12:35:23| SSL unknown certificate error 20 in /CN=savitr69
> 2012/03/13 12:35:23| SSL unknown certificate error 20 in /CN=savitr69
> 2012/03/13 12:35:23| fwdNegotiateSSL: Error negotiating SSL
> connection on FD
> 20: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed (1/-1/0)
>
> I'm a bit confused about the actual interaction between squid and the
> backend IIS server. The programmer has generated an ssl cert on the
> iis
> server, I have generated an ssl cert on squid. When I type
> https://www.example.com/Login.aspx, it asks me to add an exception
> for the
> squid box but the request now hangs at the iis server.

There are two very separate TCP links. Each having separate TLS done on
them. The traffic is fully decrypted on arrival into Squid and
re-encrypted for transfer to IIS.

Notice how there are two logged message prefixes "clientNegotiateSSL:"
and "fwdNegotiateSSL:".
"clientNegotiateSSL:" is the browser->Squid link having problems.
"fwdNegotiateSSL:" is the Squid->IIS link having problems.

fwdNegotiateSSL is likely having problems because the flag you set was
NO_VERIFY_PEER instead of sslflags=DONT_VERIFY_PEER. So it tried to
verify and failed.

>
> As per my understanding according to the current setup, when a user
> visits
> www.example.com/Login.aspx he is presented with a "Add exception"
> window for
> the squid box, after accepting he should again be presented with an
> "add
> exception" window from the iis server, this never happens.

No that should not happen. The transport security between Squid and IIS
is *only* on the transport between them. The browser has nothing to do
with that.

Amos
Received on Tue Mar 13 2012 - 08:58:57 MDT

This archive was generated by hypermail 2.2.0 : Tue Mar 13 2012 - 12:00:09 MDT