> On 10/14/22 10:32, LEMRAZZEQ, Wadie wrote: >> I tried to implement this on a dockerized Alpine, and a squid 5.5 with >> openssl module
> FWIW, Squid v5.5 is unusable in many environments -- too many bugs. Use > v5.7 or later. I do not know whether one of those bugs are responsible for > the specific problem you are discussing though. I tried with squid 5.7, but still have the same issue >> but when I request squid https port, I got this error every time, in >> cache.log: > _How_ do you "request squid https port"? Ah sorry didn't mentioned that I have problem only web browsers (Firefox, chromium), and I do specify to use https proxy in the browser proxy config But if I use curl, it works >> ERROR: failure while accepting a TLS connection on conn77 >> local=172.17.0.2:3129 remote=172.17.0.1:56608 FD 12 flags=1: >> >> connection: conn77 local=172.17.0.2:3129 remote=172.17.0.1:56608 FD 12 >> flags=1 >> >> Error.cc(22) update: recent: >> ERR_SECURE_ACCEPT_FAIL/SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=1408F09B+TLS_I >> O_ERR=1 > According to "openssl errstr", that OpenSSL error is: > error:1408F09B:SSL routines:ssl3_get_record:https proxy request > Most likely, the client is sending a plain text CONNECT request before > encrypting the TLS connection to the HTTPS proxy. In other words, the client > thinks it is talking to an HTTP proxy while > you want it to think that it is > talking to an HTTPS proxy. For example, > * HTTP proxy: curl -x http://172.17.0.2:3128/ ... https://example.com > * HTTPS proxy: curl -x https://172.17.0.2:3129/ ... https://example.com Yes indeed, requesting with curl works unless the web browsers > ... > > I also tried this with squid 4.10 with gnutls module, in an Ubuntu > 20.40 environment, with the same squid.conf, and I got again a TLS > error > > ... > > client_side.cc(2597) tlsAttemptHandshake: Error negotiating TLS on > local=x.x.x.x:3129 remote=x.x.x.x:50874 FD 11 flags=1: Aborted by > client: An unexpected TLS packet was received. > > ... > > I used for certificates, a self signed one, and a generated > certificate signed by our CA, for both scenarios > > Also, I tried multiple https_port options (disable some SSL > implementation, manipulation of client certificates...) but without > success _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
