[squid-users] Error to test connectivity to internal MS Exchange server from Ruiyuan Jiang on 2012-05-22 (squid-users)

From: Ruiyuan Jiang <RJiang_at_fnpc.com>
Date: Tue, 22 May 2012 18:08:37 -0400

Hi, all

I am trying to setup MS webmail over rpc Exchange server access through squid (squid 3.1.19, SPARC, Solaris 10) from internet. Here is my pilot squid configuration (squid.conf):

https_port 156.146.2.196:443 accel cert=/opt/squid-3.1.19/ssl.crt/webmail_juicycouture_com.crt key=/opt/squid-3.1.19/ssl.crt/webmail_juicycouture_com.key cafile=/opt/apache2.2.21/conf/ssl.crt/DigiCertCA.crt defaultsite=webmail.juicycouture.com

cache_peer 10.150.2.15 parent 443 0 no-query originserver login=PASS ssl sslcert=/opt/squid-3.1.19/ssl.crt/webmail_katespade_com.crt sslkey=/opt/squid-3.1.19/ssl.crt/webmail_katespade_com.key sslcafile=/opt/apache2.2.21/conf/ssl.crt/DigiCertCA.crt name=exchangeServer

cache_peer_access exchangeServer allow all

http_access allow all

miss_access allow all

From the access log of squid:

1337723055.845 7 207.46.14.63 TCP_MISS/503 3905 RPC_IN_DATA https://webmail.juicycouture.com/rpc/rpcproxy.dll - FIRST_UP_PARENT/exchangeServer text/html
1337723055.934 5 207.46.14.63 TCP_MISS/503 3932 RPC_IN_DATA https://webmail.juicycouture.com/rpc/rpcproxy.dll - FIRST_UP_PARENT/exchangeServer text/html

From the cache.log of the squid:

2012/05/22 17:33:28| Starting Squid Cache version 3.1.19 for sparc-sun-solaris2.10...
2012/05/22 17:33:28| Process ID 7071
2012/05/22 17:33:28| With 256 file descriptors available
2012/05/22 17:33:28| Initializing IP Cache...
2012/05/22 17:33:28| DNS Socket created at [::], FD 8
2012/05/22 17:33:28| DNS Socket created at 0.0.0.0, FD 9
2012/05/22 17:33:28| Adding domain fifthandpacific.com from /etc/resolv.conf
2012/05/22 17:33:28| Adding nameserver 12.127.17.71 from /etc/resolv.conf
2012/05/22 17:33:28| Adding nameserver 12.127.16.67 from /etc/resolv.conf
2012/05/22 17:33:28| Adding nameserver 156.146.2.190 from /etc/resolv.conf
2012/05/22 17:33:28| Unlinkd pipe opened on FD 14
2012/05/22 17:33:28| Store logging disabled
2012/05/22 17:33:28| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2012/05/22 17:33:28| Target number of buckets: 1008
2012/05/22 17:33:28| Using 8192 Store buckets
2012/05/22 17:33:28| Max Mem size: 262144 KB
2012/05/22 17:33:28| Max Swap size: 0 KB
2012/05/22 17:33:28| Using Least Load store dir selection
2012/05/22 17:33:28| Current Directory is /opt/squid-3.1.19/var/logs
2012/05/22 17:33:28| Loaded Icons.
2012/05/22 17:33:28| Accepting HTTPS connections at 156.146.2.196:443, FD 15.
2012/05/22 17:33:28| HTCP Disabled.
2012/05/22 17:33:28| Configuring Parent 10.150.2.15/443/0
2012/05/22 17:33:28| Squid plugin modules loaded: 0
2012/05/22 17:33:28| Ready to serve requests.
2012/05/22 17:33:29| storeLateRelease: released 0 objects
-----BEGIN SSL SESSION PARAMETERS-----
MIGNAgEBAgIDAQQCAC8EIAj2TdmdLmNKL8/+V0D37suIYsli5OZLvCZu6u1+voNA
BDAy5uGQ23i/G+ozoVu/RDjm8yMq3zAJAWiXKz+U537Fd5uMDJeCmo30/cy9WPeF
6fmhBgIET7wIr6IEAgIBLKQCBACmGgQYd2VibWFpbC5qdWljeWNvdXR1cmUuY29t
-----END SSL SESSION PARAMETERS-----
-----BEGIN SSL SESSION PARAMETERS-----
MIGNAgEBAgIDAQQCAC8EILcgJcTbarlfw3jpifpmpBZQpBYheYouh2NZp9eoPJUy
BDBs6l+2LMOMI4D/RPQG3mOYbZ7OBcpanTJFaa8zCBV4s6AxtTpIFL2LnxRoJ0uB
I/WhBgIET7wIr6IEAgIBLKQCBACmGgQYd2VibWFpbC5qdWljeWNvdXR1cmUuY29t
-----END SSL SESSION PARAMETERS-----
2012/05/22 17:44:15| fwdNegotiateSSL: Error negotiating SSL connection on FD 13: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
2012/05/22 17:44:15| TCP connection to 10.150.2.15/443 failed
2012/05/22 17:44:15| fwdNegotiateSSL: Error negotiating SSL connection on FD 13: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)

From the packet capture, the internal Exchange server reset the connection from the squid proxy server by either "Alert (Level: Fatal, Description: Unknown CA)" when I used above official certificates or "Alert (Level: Fatal, Description: Certificate Unknown) when I used internal CA signed certificate after initial https handshaking between squid and exchange server through https connection. Can anyone tell me how do I correctly configure cache_peer statement to make it work?

Thanks in advance.

Ryan Jiang

This message (including any attachments) is intended
solely for the specific individual(s) or entity(ies) named
above, and may contain legally privileged and
confidential information. If you are not the intended
recipient, please notify the sender immediately by
replying to this message and then delete it.
Any disclosure, copying, or distribution of this message,
or the taking of any action based on it, by other than the
intended recipient, is strictly prohibited.
Received on Tue May 22 2012 - 22:08:48 MDT

This archive was generated by hypermail 2.2.0 : Sun May 27 2012 - 12:00:04 MDT