Squid (3.5.4): Secure Connection Failed (https)

After zypper dup update today squid no longer allows https connections but browsers inform about Secure Connection Failed. Without squid connection works fine.

No changes have been made to the squid.conf and didn’t notice any changes made by update either. Am I missing something related to SSL which is mandatory nowadays? My config is from 2013 and hasn’t changed since.

squid.conf snippets:


       acl localnet src 10.1.1.0/24 

acl SSL_ports port 563 1025-65535 
acl SSL_ports port 443          # https


           acl Safe_ports port 80          # http 
acl Safe_ports port 21          # ftp 
acl Safe_ports port 443         # https 
acl Safe_ports port 70          # gopher 
acl Safe_ports port 210         # wais 
acl Safe_ports port 1025-65535  # unregistered ports 
acl Safe_ports port 280         # http-mgmt 
acl Safe_ports port 488         # gss-http 
acl Safe_ports port 591         # filemaker 
acl Safe_ports port 777         # multiling http 
acl CONNECT method CONNECT


           http_access allow manager localhost 
http_access allow manager localnet 
http_access deny manager


           http_access deny !Safe_ports


           http_access deny CONNECT !SSL_ports


           http_access deny to_localhost


           http_access allow localnet


           http_port 8080


           coredump_dir /var/cache/squid


           refresh_pattern ^ftp:           1440    20%     10080 
refresh_pattern ^gopher:        1440    0%      1440 
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0 
refresh_pattern .               0       20%     4320


           hierarchy_stoplist cgi-bin ?


           cache_mem 256 MB


           icp_access allow localnet

And in addition to help to solve the issue I’d appreciate very much if there are improvements that can and should be made to the config.

On Mon, 01 Jun 2015 21:36:01 +0000, paju2000 wrote:

> After zypper dup update today squid no longer allows https connections
> but browsers inform about Secure Connection Failed. Without squid
> connection works fine.
>
> No changes have been made to the squid.conf and didn’t notice any
> changes made by update either. Am I missing something related to SSL
> which is mandatory nowadays? My config is from 2013 and hasn’t changed
> since.

Squid might be trying to use SSLv2, which most browsers have deprecated
as insecure. You might need to check your Squid configuration and either
make sure it’s using SSLv3 (as I recall), or better, TLS.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Could this issue be related to certifications? Don’t have any cert configured… The purpose is not to decrypt the https communication at squid thus if I understand the configuration correctly the cert is not needed. Just a direct connection from browser to host via ssl/tls.

And no, I still don’t have squid working for https… so further help is needed.

On Tue, 02 Jun 2015 20:16:01 +0000, paju2000 wrote:

> Could this issue be related to certifications? Don’t have any cert
> configured… The purpose is not to decrypt the https communication at
> squid thus if I understand the configuration correctly the cert is not
> needed. Just a direct connection from browser to host via ssl/tls.
>
> And no, I still don’t have squid working for https… so further help is
> needed.

What is the exact error message you get in your browser?

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Error:
"Secure Connection Failed

The connection to www.google.com was interrupted while the page was loading.

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem."

On Wed, 03 Jun 2015 18:06:01 +0000, paju2000 wrote:

> hendersj;2713451 Wrote:
>> On Tue, 02 Jun 2015 20:16:01 +0000, paju2000 wrote:
>>
>> > Could this issue be related to certifications? Don’t have any cert
>> > configured… The purpose is not to decrypt the https communication at
>> > squid thus if I understand the configuration correctly the cert is
>> > not needed. Just a direct connection from browser to host via
>> > ssl/tls.
>> >
>> > And no, I still don’t have squid working for https… so further help
>> is
>> > needed.
>>
>> What is the exact error message you get in your browser?
>
> Error:
> “Secure Connection Failed
>
> The connection to www.google.com was interrupted while the page was
> loading.
>
> The page you are trying to view cannot be shown because the authenticity
> of the received data could not be verified.
> Please contact the website owners to inform them of this problem.”

Is there an indication of further error information - a link to click at
the bottom of the page?

For example, if I browse to a site with a certificate that’s not
validated by my CA trust chain, I get a message with an “Advanced” link
that lets me proceed to the requested site (but notes it’s unsafe).
There’s also text on the screen that reads:

NET::ERR_CERT_AUTHORITY_INVALID

Which describes what the error is.

I’m thinking the error you’re getting relates to this:

https://en.wikipedia.org/wiki/POODLE

which has to do with browser fallback to SSLv3.

If your Squid server is presenting an SSLv3 certificate (or trying to -
for some reason - fall back to SSLv3 instead of using TLS as it connects
to the target site for you), then that might explain the error you’re
seeing.

In your squid configuration, what openssl ciphers are you configured for?

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Nothing further is reported than what I copied. Only thing I could do is report the error to google. Usually there are more clear errors or indications giving some hint of the issue but this time none.

I’m thinking the error you’re getting relates to this:

POODLE - Wikipedia

which has to do with browser fallback to SSLv3.

If your Squid server is presenting an SSLv3 certificate (or trying to -
for some reason - fall back to SSLv3 instead of using TLS as it connects
to the target site for you), then that might explain the error you’re
seeing.

In your squid configuration, what openssl ciphers are you configured for?

I don’t have any certificates configured. Squid is fully transparent (or that’s the idea anyway) i.e. browser creates the secure connection with host. Squid is not intercepting or bumping SSL/TLS connections.

The config I listed in the beginning of the thread is pretty much all what I have in the config. This has been working fine until the latest update where squid also got updated (didn’t check what was the previous version).

On Thu, 04 Jun 2015 18:46:01 +0000, paju2000 wrote:

>> Which describes what the error is.
>>
>>
> Nothing further is reported than what I copied. Only thing I could do is
> report the error to google. Usually there are more clear errors or
> indications giving some hint of the issue but this time none.

That’s very strange. Do any other browsers give more information?

>> I’m thinking the error you’re getting relates to this:
>>
>> https://en.wikipedia.org/wiki/POODLE
>>
>> which has to do with browser fallback to SSLv3.
>>
>> If your Squid server is presenting an SSLv3 certificate (or trying to -
>> for some reason - fall back to SSLv3 instead of using TLS as it
>> connects to the target site for you), then that might explain the error
>> you’re seeing.
>>
>> In your squid configuration, what openssl ciphers are you configured
>> for?
>>
>>
> I don’t have any certificates configured. Squid is fully transparent (or
> that’s the idea anyway) i.e. browser creates the secure connection with
> host. Squid is not intercepting or bumping SSL/TLS connections.
>
> The config I listed in the beginning of the thread is pretty much all
> what I have in the config. This has been working fine until the latest
> update where squid also got updated (didn’t check what was the previous
> version).

Does the connection from the browser work OK without squid? Process of
elimination - if the problem only exists with squid in the picture, then
squid is doing something to cause the problem. If it doesn’t, then it’s
the target site (as it’s google.com, unlikely) or the browser.

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Not really. Here’s what Konquerror says about the situation:

The requested operation could not be completed

Timeout Error

Details of the Request:

URL: https://www.google.com/search?q=test&ie=UTF-8
Protocol: https
Date and Time: Sunday 07 June 2015 20:32
Additional Information: www.google.com: Socket operation timed out
Description:

Although contact was made with the server, a response was not received within the amount of time allocated for the request as follows:<ul><li>Timeout for establishing a connection: 20 seconds</li><li>Timeout for receiving a response: 600 seconds</li><li>Timeout for accessing proxy servers: 10 seconds</li></ul>Please note that you can alter these timeout settings in the KDE System Settings, by selecting Network Settings -> Connection Preferences.

Possible Causes:

There may have been a problem at some point along the network path between the server and this computer.
The server was too busy responding to other requests to respond.
Possible Solutions:

Try again, either now or at a later time.
Contact the administrator of the server for further assistance.

>> I’m thinking the error you’re getting relates to this:
>>
>> POODLE - Wikipedia
>>
>> which has to do with browser fallback to SSLv3.
>>
>> If your Squid server is presenting an SSLv3 certificate (or trying to -
>> for some reason - fall back to SSLv3 instead of using TLS as it
>> connects to the target site for you), then that might explain the error
>> you’re seeing.
>>
>> In your squid configuration, what openssl ciphers are you configured
>> for?
>>
>>
> I don’t have any certificates configured. Squid is fully transparent (or
> that’s the idea anyway) i.e. browser creates the secure connection with
> host. Squid is not intercepting or bumping SSL/TLS connections.
>
> The config I listed in the beginning of the thread is pretty much all
> what I have in the config. This has been working fine until the latest
> update where squid also got updated (didn’t check what was the previous
> version).

Does the connection from the browser work OK without squid? Process of
elimination - if the problem only exists with squid in the picture, then
squid is doing something to cause the problem. If it doesn’t, then it’s
the target site (as it’s google.com, unlikely) or the browser.

Without squid things are fine. With squid all https connections I’ve tried fail.

On Sun, 07 Jun 2015 17:46:01 +0000, paju2000 wrote:

>> That’s very strange. Do any other browsers give more information?
>>
>>
> Not really. Here’s what Konquerror says about the situation:
>
> The requested operation could not be completed
>
> Timeout Error
>
> Details of the Request:
>
> URL: https://www.google.com/search?q=test&ie=UTF-8 Protocol: https Date
> and Time: Sunday 07 June 2015 20:32 Additional Information:
> www.google.com: Socket operation timed out Description:
>
> Although contact was made with the server, a response was not received
> within the amount of time allocated for the request as
> follows:<ul><li>Timeout for establishing a connection: 20
> seconds</li><li>Timeout for receiving a response: 600
> seconds</li><li>Timeout for accessing proxy servers: 10
> seconds</li></ul>Please note that you can alter these timeout settings
> in the KDE System Settings, by selecting Network Settings ->
> Connection Preferences.
>
> Possible Causes:
>
> There may have been a problem at some point along the network path
> between the server and this computer.
> The server was too busy responding to other requests to respond.
> Possible Solutions:
>
> Try again, either now or at a later time.
> Contact the administrator of the server for further assistance.

Interesting. What if you fire up Links or Lynx (assuming you have no GUI
on the squid box) and try connecting from it directly to a site you’re
trying to navigate to?

It sounds to me like a routing issue on the squid box from that
description.

>> Does the connection from the browser work OK without squid? Process of
>> elimination - if the problem only exists with squid in the picture,
>> then squid is doing something to cause the problem. If it doesn’t,
>> then it’s the target site (as it’s google.com, unlikely) or the
>> browser.
>>
>>
> Without squid things are fine. With squid all https connections I’ve
> tried fail.

That also would point to a potential routing problem from the squid box.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Server and workstation are the same in my case i.e. full GUI in use. And no, doesn’t help.

>> Does the connection from the browser work OK without squid? Process of
>> elimination - if the problem only exists with squid in the picture,
>> then squid is doing something to cause the problem. If it doesn’t,
>> then it’s the target site (as it’s google.com, unlikely) or the
>> browser.
>>
>>
> Without squid things are fine. With squid all https connections I’ve
> tried fail.

That also would point to a potential routing problem from the squid box.

Sounds logical but how can I check this in detail?

On Sat, 27 Jun 2015 12:36:01 +0000, paju2000 wrote:

>> It sounds to me like a routing issue on the squid box from that
>> description.
>>
>>
> Server and workstation are the same in my case i.e. full GUI in use. And
> no, doesn’t help.

Useful info, might come in handy as we continue to troubleshoot it.

>> That also would point to a potential routing problem from the squid
>> box.
>>
>>
> Sounds logical but how can I check this in detail?

Start by looking at the output of ‘route -n’ on the box.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On Sat, 27 Jun 2015 20:13:30 +0000, Jim Henderson wrote:

> On Sat, 27 Jun 2015 12:36:01 +0000, paju2000 wrote:
>
>>> It sounds to me like a routing issue on the squid box from that
>>> description.
>>>
>>>
>> Server and workstation are the same in my case i.e. full GUI in use.
>> And no, doesn’t help.
>
> Useful info, might come in handy as we continue to troubleshoot it.
>
>>> That also would point to a potential routing problem from the squid
>>> box.
>>>
>>>
>> Sounds logical but how can I check this in detail?
>
> Start by looking at the output of ‘route -n’ on the box.

Actually, I take that back - if the connection works OK from the box
without using squid, then it’s not routing.

So, how do you have the proxy configured in your browser?

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Updated tumbleweed again after gcc update and now squid works again. No changes were made to anything by myself so apparently there was some issues in squid itself.

On Sat, 04 Jul 2015 12:26:01 +0000, paju2000 wrote:

> Updated tumbleweed again after gcc update and now squid works again. No
> changes were made to anything by myself so apparently there was some
> issues in squid itself.

Glad to hear you got it resolved. :slight_smile:

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C