Hi Amos! Thanks for the response! I put my full config in that gist (https://gist.github.com/dansteen/c28343fd025c713bcfba8368ce2b728b) if that helps. Is there something else that would be helpuful to see?
Thanks! On Tue, May 11, 2021, at 9:16 PM, Amos Jeffries wrote: > The main issue you are having is that the old version had no TLS/1.3 support. > The newer squid have some, but not enough for what you are doing. > > Switching the build from GnuTLS to OpenSSL may work a little better. But > without details of your config it is hard to be certain. > > Amos > > > -------- Original message -------- > From: Dan Steen <d...@mirageid.com> > Date: Wed, 12 May 2021, 10:06 > To: squid-users@lists.squid-cache.org > Subject: [squid-users] https_port not correctly sending ssl cert information? >> Hi!, >> >> I've recently been trying to update my version of squid from 4.0.20 to >> something more modern (4.13), but I'm having issues with my TLS enabled >> proxy not returning certificates correctly (it seems). Specifically, when >> I try and run the following curl (url replaced to protect the innocent): >> >> curl -vvI --proxy https://test.example.com:5000 >> <https://vvnncqvnjkclsuu3ctvdp5k4ck72-uupfpbnf.mirageid.com:5000/> >> https://google.com >> >> >> I get the following result: >> >> * Trying 167.99.53.100:5000... >> * Connected to test.example.com port 5000 >> * ALPN, offering http/1.1 >> * successfully set certificate verify locations: >> * CAfile: /etc/ssl/certs/ca-certificates.crt >> * CApath: none >> * TLSv1.3 (OUT), TLS handshake, Client hello (1): >> * TLSv1.3 (IN), TLS handshake, Server hello (2): >> * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): >> * TLSv1.3 (IN), TLS handshake, Certificate (11): >> * TLSv1.3 (OUT), TLS alert, unknown CA (560): >> * SSL certificate problem: unable to get local issuer certificate >> * Closing connection 0 >> curl: (60) SSL certificate problem: unable to get local issuer certificate >> >> This is different then what I get for my old 4.0.20 server: >> >> * Connected to test.example.com port 3128 (#0) >> * successfully set certificate verify locations: >> * CAfile: /etc/ssl/certs/ca-certificates.crt >> * CApath: none >> * TLSv1.3 (OUT), TLS handshake, Client hello (1): >> * TLSv1.3 (IN), TLS handshake, Server hello (2): >> * TLSv1.2 (IN), TLS handshake, Certificate (11): >> * TLSv1.2 (IN), TLS handshake, Server key exchange (12): >> * TLSv1.2 (IN), TLS handshake, Server finished (14): >> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): >> * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): >> * TLSv1.2 (OUT), TLS handshake, Finished (20): >> * TLSv1.2 (IN), TLS handshake, Finished (20): >> * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 >> * Proxy certificate: >> * subject: CN=*.example.com >> * start date: Apr 5 21:02:06 2021 GMT >> * expire date: May 7 21:02:06 2022 GMT >> * issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2 >> * SSL certificate verify ok. >> >> >> But the config and certs are exactly the same! I've pasted the config, >> output of squid -v, and cert information here: >> https://gist.github.com/dansteen/c28343fd025c713bcfba8368ce2b728b >> >> One difference between the two that I noticed is that the old version is >> compiled with --with-openssl and --enable-ssl and -enable-ssl-crtd, and the >> new version only has --with-gnutls. Would that be the issue? I appreciate >> the help! >> >> Thanks! >> Dan Steen >> >> > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org <mailto:squid-users%40lists.squid-cache.org> > http://lists.squid-cache.org/listinfo/squid-users > Dan Steen Founder, CTO *MirageID* _...@mirageid.com <mailto:est...@mirageid.com>_ 443-204-9478
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
