RE: [squid-users] https --> http reverse proxy problem

From: Mirabello Massimiliano <[email protected]>
Date: Wed, 2 Apr 2008 09:33:41 +0200

 

> -----Original Message-----
> From: Diego Woitasen [mailto:diegows@gmail.com]

> 2008/4/1, Mirabello Massimiliano <Massimiliano.Mirabello@italtel.it>:
> >

> >
> > My cache.log reports:
> > 2008/04/01 17:53:50| clientNegotiateSSL: Error negotiating SSL
> > connection on FD 11: error:140B512D:SSL
> > routines:SSL_GET_NEW_SESSION:ssl session id callback failed (1/-1)
> >
> >

>
> Sounds like a Squid certificate problem. Try with openssl
> c_client -connect squidhost:37500, it will display
> certificate info. If it doesn't work, try the generate the
> certificate again.
>

IPAHU016 > openssl s_client -connect ipahu016:37500
CONNECTED(00000003)
7721:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:226:

I tried to generate certificates with a different openssl version
(instead of 0.9.6k) on other host:

>openssl version
OpenSSL 0.9.7a Feb 19 2003

IPAHU016> openssl req -x509 -nodes -days 3650 -newkey rsa:1024 -keyout
ipahu016.key -out ipahu016.crt

I tested them with:

IPAHU016> openssl s_server -cert ipahu016.crt -key ipahu016.key -accept
37600 &

IPAHU016> openssl s_client -connect ipahu016:37600
CONNECTED(00000003)
depth=0 /C=IT/ST=Italy/L=Newbury/O=My Company
Ltd/OU=ipahu016/CN=ipahu016
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=IT/ST=Italy/L=Newbury/O=My Company
Ltd/OU=ipahu016/CN=ipahu016
verify return:1

---
Certificate chain
 0 s:/C=IT/ST=Italy/L=Newbury/O=My Company Ltd/OU=ipahu016/CN=ipahu016
   i:/C=IT/ST=Italy/L=Newbury/O=My Company Ltd/OU=ipahu016/CN=ipahu016
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDHjCCAoegAwIBAgIBADANBgkqhkiG9w0BAQQFADBuMQswCQYDVQQGEwJJVDEO
MAwGA1UECBMFSXRhbHkxEDAOBgNVBAcTB05ld2J1cnkxFzAVBgNVBAoTDk15IENv
bXBhbnkgTHRkMREwDwYDVQQLEwhpcGFodTAxNjERMA8GA1UEAxMIaXBhaHUwMTYw
HhcNMDgwNDAyMDcxMTQ1WhcNMTgwMzMxMDcxMTQ1WjBuMQswCQYDVQQGEwJJVDEO
MAwGA1UECBMFSXRhbHkxEDAOBgNVBAcTB05ld2J1cnkxFzAVBgNVBAoTDk15IENv
bXBhbnkgTHRkMREwDwYDVQQLEwhpcGFodTAxNjERMA8GA1UEAxMIaXBhaHUwMTYw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALirqQNwg/crE1xJdRu3w/O6W3UR
CRvYWFNMz29qoZAnEtKSikdlVSwcf8SW2rD7/b0AbzcGlqiM2gMmabksjZMlyumA
mVQRuZu3ACmSo1ltlxSJOvwJS+KK9wK9sSNKQ2dwFwM83yBbkI7fEFq7Ne0r7/5R
/7/0UWfuXd/oBmX3AgMBAAGjgcswgcgwHQYDVR0OBBYEFK9XdN8xgQp8rla/ypCp
v6crjo5YMIGYBgNVHSMEgZAwgY2AFK9XdN8xgQp8rla/ypCpv6crjo5YoXKkcDBu
MQswCQYDVQQGEwJJVDEOMAwGA1UECBMFSXRhbHkxEDAOBgNVBAcTB05ld2J1cnkx
FzAVBgNVBAoTDk15IENvbXBhbnkgTHRkMREwDwYDVQQLEwhpcGFodTAxNjERMA8G
A1UEAxMIaXBhaHUwMTaCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOB
gQAH+WdZiX0nV3CYQ+0dnc+wRQFhOimSpiPDnsKDDRrjKZz6PfAScKI1I8sxQPr/
OXiIhtWbSsUXybHCY62q5Sf2gPY+aFA+RR1EFBRSwPGNe3grK3mUZAbLKnI5RJcw
psfLWcfhkb4jHp9P5fpend+0CA9s8zKUcb5s6s9cZpZSXw==
-----END CERTIFICATE-----
subject=/C=IT/ST=Italy/L=Newbury/O=My Company
Ltd/OU=ipahu016/CN=ipahu016
issuer=/C=IT/ST=Italy/L=Newbury/O=My Company Ltd/OU=ipahu016/CN=ipahu016
---
No client certificate CA names sent
---
SSL handshake has read 1230 bytes and written 250 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : EDH-RSA-DES-CBC3-SHA
    Session-ID:
3CBCC3021C063F3A93EE818EC90531BD27B88F5FC2FCC4460795EDAA14CBA68F
    Session-ID-ctx:
    Master-Key:
7AC2060C28913035DFC87062171DBB1A07D778843AB73D4862C894E5AA0131BB0958C636
1BD190FA6AFA656241D418
AC
    Key-Arg   : None
    Start Time: 1207123026
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
> Is you key encrypted? I don't remember if squid support for 
> asking a passphrase.
> 
No, it's not.
regards,
Massimiliano Mirabello
Internet Email Confidentiality Footer
-----------------------------------------------------------------------------------------------------
La presente comunicazione, con le informazioni in essa contenute e ogni documento o file allegato, e' rivolta unicamente alla/e persona/e cui e' indirizzata ed alle altre da questa autorizzata/e a riceverla. Se non siete i destinatari/autorizzati siete avvisati che qualsiasi azione, copia, comunicazione, divulgazione o simili basate sul contenuto di tali informazioni e' vietata e potrebbe essere contro la legge (art. 616 C.P., D.Lgs n. 196/2003 Codice in materia di protezione dei dati personali). Se avete ricevuto questa comunicazione per errore, vi preghiamo di darne immediata notizia al mittente e di distruggere il messaggio originale e ogni file allegato senza farne copia alcuna o riprodurne in alcun modo il contenuto. 
This e-mail and its attachments are intended for the addressee(s) only and are confidential and/or may contain legally privileged information. If you have received this message by mistake or are not one of the addressees above, you may take no action based on it, and you may not copy or show it to anyone; please reply to this e-mail and point out the error which has occurred. 
-----------------------------------------------------------------------------------------------------
Received on Wed Apr 02 2008 - 01:34:15 MDT

This archive was generated by hypermail 2.2.0 : Thu May 01 2008 - 12:00:03 MDT