• 14
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

Squid, configured for SSL, chokes on some sites

I have a Squid 3.5.23 running on Debian Stretch, recompiled from the deb source and configured as a transparent proxy. I changed the configuration in order to allow SSL proxying and it seems to be running OK when I install the generated Squid certificate as a trusted root authority. Facebook, Google, Kernel.org and most other HTTPS sites pass through OK, and the browser correctly thinks those sites' certificate authority is the proxy's. Now, SOME sites give me a certificate warning and then an error if I accept it as an exception.

https://elpais.com ->

The following error was encountered while trying to retrieve the URL: https://2.16.189.72/*

    Failed to establish a secure connection to 2.16.189.72

The system returned:

    (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

    Handshake with SSL server failed: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

https://wiki.squid-cache.org/ (Now that is ironic) -> The following error was encountered while trying to retrieve the URL: https://master.squid-cache.org/*

    Failed to establish a secure connection to 104.130.201.120

The system returned:

    (71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

    SSL Certficate error: certificate issuer (CA) not known: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

I generated the certificate with the following commands:

openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 \ -keyout mycompany.pem -out mycompany.pem openssl x509 -in mycompany.pem -outform DER -out mycompany.der /usr/lib/squid/ssl_crtd -c -s /etc/squid/certs/ssl_db -M 4MB chown -R proxy.proxy ssl_db

Clues?

    • Not sure what is the reason for failing ssl handshake ( I do not have any troubles with the site you mentioned with explicit proxy ); but the reason for being unable to get issuer locally is a site mis-configuration - the admin of the site did not include whole chain of SSL certificates into initial SSL handshake - see more explanations at docs.diladele.com/faq/squid/…

Trending Tags