Re: [squid-users] HTTPS CONNECT Failing - Squid 3.3.4

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 27 Apr 2014 20:56:33 +1200

On 26/04/2014 3:26 a.m., tomsl wrote:
> I have Squid 3.3.4 running on Ubuntu 12.04. For some clients, it looks like
> they cannot establish an SSL connection so I assume that HTTPS CONNECT is
> failing.

There is no such thing as HTTPS CONNECT.

There is HTTP CONNECT for clients making an HTTPS request to an
explicit/forward proxy.

> These are embedded linux devices (I think) and I cannot get any
> logs from them so I am finding it difficult to debug. I have tried many
> different options on the https_port line.
>
> My https_port line is currently:
>
> https_port 443 accel cert=/root/ssl/cert.pem
> cipher=RC4-MD5:RC4-SHA:AES128-SHA:DES-CBC3-SHA:AES256-SHA
> defaultsite=mysite.mydomain.com
>

CONNECT requests is invalid in "accel" mode traffic. And is technically
valid but unused in most https_port traffic.

So in short I very much doubt its a CONNECT failure....

>
> The only relevant information that I can get from the logs is:
>
> 2014/04/25 14:57:07.598| TcpAcceptor.cc(197) doAccept: New connection on FD
> 31
> 2014/04/25 14:57:07.598| TcpAcceptor.cc(272) acceptNext: connection on
> local=[::]:443 remote=[::] FD 31 flags=9
> 2014/04/25 14:57:07.598| Eui48.cc(262) lookup: Looking up ARP address for
> 10.189.246.4 on eth0
> 2014/04/25 14:57:07.598| Eui48.cc(262) lookup: Looking up ARP address for
> 10.189.246.4 on eth1
> 2014/04/25 14:57:07.598| Eui48.cc(537) lookup: 10.189.246.4 NOT found
> -----BEGIN SSL SESSION PARAMETERS-----
> MIGLAgEBAgIDAwQCAC8EILteDsmKzo2zRpPdTooen622XmoPOJ+EuE58nSIpKQ3E
> BDBmI+cJ09OOG1hxtpjXqfv9ZjCUHAH0uaI7JJnB5DQb44Lu69fk/GpbT8mNj8fq
> yuShBgIEU1p3w6IEAgIBLKQCBACmGAQWYnN0ZXN0LnNpZ25hZ2VsaXZlLmNvbQ==
> -----END SSL SESSION PARAMETERS-----
> 2014/04/25 14:57:08.294| client_side.cc(3528) clientNegotiateSSL:
> clientNegotiateSSL: New session 0x7fb05d661640 on FD 10 (10.189.246.4:11885)
> 2014/04/25 14:57:08.294| client_side.cc(3532) clientNegotiateSSL:
> clientNegotiateSSL: FD 10 negotiated cipher AES128-SHA
> 2014/04/25 14:57:08.294| client_side.cc(3548) clientNegotiateSSL:
> clientNegotiateSSL: FD 10 has no certificate.

There you go. No certificate. Question is whether that is client missing
a certificate or Squid (server)?

Amos
Received on Sun Apr 27 2014 - 08:56:44 MDT

This archive was generated by hypermail 2.2.0 : Mon Apr 28 2014 - 12:00:08 MDT