Re: [squid-users] SSL errors with Squid 3.5.27 [SOLVED]

2018-07-02 Thread Julian Perconti
Hi all, Problem solved. With squid 4 openssl 1.1 I realized that WhatsApp use the following ports: 5223, 5228, 4244, 5242, and 5222 in addition to 443, 80. So I opened that ports on the firewall and everythhing worked. Also I changed the cipher suite in squid.conf like this: (for the dropbox

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-28 Thread Julian Perconti
Hi all: Finally I migrate everything to debian 9 with openssl 1.1 and squid 4 (june 22/18) reléase (the last one). Everything seems to go very well. However, the dropbox client logs this error in cache.log: kid1| ERROR: negotiating TLS on FD 35: error:141710F8:SSL routines:tls_process_server_

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-18 Thread Julian Perconti
Googling i foind this cfg lines: acl SSLERR ssl_error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN sslproxy_cert_error allow SSLERR sslproxy_cert_error deny all The error " certificate verify failed has deissappeared, I refer to this error: routines:CONNECT_CR_

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-18 Thread Matus UHLAR - fantomas
have you tried -servername option for setting SNI extension? On 18.06.18 08:31, Julian Perconti wrote: How can i do this? man s_client:\ -servername name Set the TLS SNI (Server Name Indication) extension in the ClientHello message. -- Matus UHLAR - fantomas, uh

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-18 Thread Julian Perconti
> have you tried -servername option for setting SNI extension? How can i do this? Well, debbuging cache.log i found this: 2018/06/18 08:22:08.822 kid1| 83,5| support.cc(300) ssl_verify_cb: Self signed certificate in certificate chain: /CN=courier.push.apple.com/O=Apple Inc./ST=California/C=U

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-14 Thread Matus UHLAR - fantomas
On 13.06.18 18:20, Julian Perconti wrote: Does not shows any cert and establishes a connection with TLS 1.2... openssl s_client -connect 31.13.94.54:443 CONNECTED(0003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 by

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-14 Thread Amos Jeffries
On 14/06/18 09:20, Julian Perconti wrote: > > # > Here a example: > # > > openssl s_client -connect 31.13.94.54:443 > CONNECTED(0003) > write:errno=104 > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 0 bytes and written

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-13 Thread Amos Jeffries
On 13/06/18 07:54, Julian Perconti wrote: >> Interesting. >> >> The main issue was that you configured only params for the Diffi-Helman (DH >> and DHE) ciphers - no >curve name. That meant your specified EEC* ciphers >> were disabled since they require a curve name as >well. >> >> Removing this o

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-13 Thread L . P . H . van Belle
ag 12 juni 2018 21:55 > Aan: squid-users@lists.squid-cache.org > Onderwerp: Re: [squid-users] SSL errors with Squid 3.5.27 > > >Interesting. > > > >The main issue was that you configured only params for the > Diffi-Helman (DH and DHE) ciphers - no >curve name

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-12 Thread Julian Perconti
>Interesting. > >The main issue was that you configured only params for the Diffi-Helman (DH >and DHE) ciphers - no >curve name. That meant your specified EEC* ciphers were >disabled since they require a curve name as >well. > >Removing this option completely disables both DH and ECDH cipher type

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-10 Thread Amos Jeffries
On 10/06/18 20:42, Walter H. wrote: > On 10.06.2018 08:49, Amos Jeffries wrote: >> >> Interesting. >> >> The main issue was that you configured only params for the Diffi-Helman >> (DH and DHE) ciphers - no curve name. That meant your specified EEC* >> ciphers were disabled since they require a curv

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-10 Thread Walter H.
On 10.06.2018 08:49, Amos Jeffries wrote: Interesting. The main issue was that you configured only params for the Diffi-Helman (DH and DHE) ciphers - no curve name. That meant your specified EEC* ciphers were disabled since they require a curve name as well. Removing this option completely dis

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-09 Thread Amos Jeffries
On 10/06/18 03:46, Julian Perconti wrote: >>> https_port 3130 intercept ssl-bump \ >>> cert=/etc/squid/ssl_cert/squidCA.pem \ >>> key=/etc/squid/ssl_cert/squidCA.pem \ >>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB >>> tls-dh=/etc/squid/ssl_cert/dhparam.pem >> >> These DH

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-09 Thread Julian Perconti
>> https_port 3130 intercept ssl-bump \ >> cert=/etc/squid/ssl_cert/squidCA.pem \ >> key=/etc/squid/ssl_cert/squidCA.pem \ >> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB >> tls-dh=/etc/squid/ssl_cert/dhparam.pem > >These DH parameters are for old DH not for ECDHE (missing c

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-08 Thread Amos Jeffries
On 09/06/18 11:15, Julian Perconti wrote: > Hello community, I am new to the list and, I hope everyone is well. > > I have running a squid server on debian 7. > > My squid version is 3.5.27 manually compiled with LibreSSL 2.6.0 due to > problems with Dropbox. After compiling squid with LibreSSL,