[squid-users] Problem with ssl bump: Error negotiating SSL connection from Javier Amor Garcia on 2012-09-25 (squid-users)

From: Javier Amor Garcia <jamor_at_zentyal.com>
Date: Tue, 25 Sep 2012 10:09:43 +0200

Hello,

I am tryng to setup a ssl bump with squid3. However I get always this error:

2012/09/25 09:58:33| clientNegotiateSSL: Error negotiating SSL
connection on FD 10: error:1407609B:SSL
routines:SSL23_GET_CLIENT_HELLO:https proxy request (1/-1)

The relevants snippets of my configuration:

http_port 3128
https_port 3133 ssl-bump cert=/etc/squid3/self_signed_cert.pem
key=/etc/squid3/self_signed_key.pem
(..)
always_direct allow all
ssl_bump allow all
sslproxy_cert_error allow all

----
I tested several different https websites but I get always the same error
I have also tried to add the dangerous option 'sslproxy_flags 
DONT_VERIFY_PEER ' but it don't made any difference.
There is a compiled squid3, the '-v' output is:
root_at_z3:/etc/ssl# squid3 -v
Squid Cache: Version 3.1.19
configure options:  '--build=i686-linux-gnu' '--prefix=/usr' 
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man' 
'--infodir=${prefix}/share/info' '--sysconfdir=/etc' 
'--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' 
'--disable-maintainer-mode' '--disable-dependency-tracking' 
'--disable-silent-rules' '--datadir=/usr/share/squid3' 
'--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' 
'--with-cppunit-basedir=/usr' '--enable-inline' '--enable-async-io=8' 
'--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' 
'--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' 
'--enable-icap-client' '--enable-follow-x-forwarded-for' 
'--enable-auth=basic,digest,ntlm,negotiate' 
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM' 
'--enable-ntlm-auth-helpers=smb_lm,' 
'--enable-digest-auth-helpers=ldap,password' 
'--enable-negotiate-auth-helpers=squid_kerb_auth' 
'--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' 
'--enable-arp-acl' '--enable-esi' '--enable-zph-qos' '--enable-wccpv2' 
'--disable-translation' '--with-logdir=/var/log/squid3' 
'--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' 
'--with-large-files' '--with-default-user=proxy' '--enable-ssl' 
'--enable-linux-netfilter' 'build_alias=i686-linux-gnu' 'CFLAGS=-g -O2 
-fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Wformat-security -Werror=format-security' 
'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 
'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector 
--param=ssp-buffer-size=4 -Wformat -Wformat-security 
-Werror=format-security' --with-squid=/build/buildd/squid3-3.1.19
Thanks for your help,
Javier

Received on Tue Sep 25 2012 - 08:09:54 MDT

This archive was generated by hypermail 2.2.0 : Tue Sep 25 2012 - 12:00:06 MDT