After zypper dup update today squid no longer allows https connections but browsers inform about Secure Connection Failed. Without squid connection works fine.
No changes have been made to the squid.conf and didn’t notice any changes made by update either. Am I missing something related to SSL which is mandatory nowadays? My config is from 2013 and hasn’t changed since.
On Mon, 01 Jun 2015 21:36:01 +0000, paju2000 wrote:
> After zypper dup update today squid no longer allows https connections
> but browsers inform about Secure Connection Failed. Without squid
> connection works fine.
>
> No changes have been made to the squid.conf and didn’t notice any
> changes made by update either. Am I missing something related to SSL
> which is mandatory nowadays? My config is from 2013 and hasn’t changed
> since.
Squid might be trying to use SSLv2, which most browsers have deprecated
as insecure. You might need to check your Squid configuration and either
make sure it’s using SSLv3 (as I recall), or better, TLS.
Could this issue be related to certifications? Don’t have any cert configured… The purpose is not to decrypt the https communication at squid thus if I understand the configuration correctly the cert is not needed. Just a direct connection from browser to host via ssl/tls.
And no, I still don’t have squid working for https… so further help is needed.
On Tue, 02 Jun 2015 20:16:01 +0000, paju2000 wrote:
> Could this issue be related to certifications? Don’t have any cert
> configured… The purpose is not to decrypt the https communication at
> squid thus if I understand the configuration correctly the cert is not
> needed. Just a direct connection from browser to host via ssl/tls.
>
> And no, I still don’t have squid working for https… so further help is
> needed.
What is the exact error message you get in your browser?
The connection to www.google.com was interrupted while the page was loading.
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem."
On Wed, 03 Jun 2015 18:06:01 +0000, paju2000 wrote:
> hendersj;2713451 Wrote:
>> On Tue, 02 Jun 2015 20:16:01 +0000, paju2000 wrote:
>>
>> > Could this issue be related to certifications? Don’t have any cert
>> > configured… The purpose is not to decrypt the https communication at
>> > squid thus if I understand the configuration correctly the cert is
>> > not needed. Just a direct connection from browser to host via
>> > ssl/tls.
>> >
>> > And no, I still don’t have squid working for https… so further help
>> is
>> > needed.
>>
>> What is the exact error message you get in your browser?
>
> Error:
> “Secure Connection Failed
>
> The connection to www.google.com was interrupted while the page was
> loading.
>
> The page you are trying to view cannot be shown because the authenticity
> of the received data could not be verified.
> Please contact the website owners to inform them of this problem.”
Is there an indication of further error information - a link to click at
the bottom of the page?
For example, if I browse to a site with a certificate that’s not
validated by my CA trust chain, I get a message with an “Advanced” link
that lets me proceed to the requested site (but notes it’s unsafe).
There’s also text on the screen that reads:
NET::ERR_CERT_AUTHORITY_INVALID
Which describes what the error is.
I’m thinking the error you’re getting relates to this:
If your Squid server is presenting an SSLv3 certificate (or trying to -
for some reason - fall back to SSLv3 instead of using TLS as it connects
to the target site for you), then that might explain the error you’re
seeing.
In your squid configuration, what openssl ciphers are you configured for?
Nothing further is reported than what I copied. Only thing I could do is report the error to google. Usually there are more clear errors or indications giving some hint of the issue but this time none.
I’m thinking the error you’re getting relates to this:
If your Squid server is presenting an SSLv3 certificate (or trying to -
for some reason - fall back to SSLv3 instead of using TLS as it connects
to the target site for you), then that might explain the error you’re
seeing.
In your squid configuration, what openssl ciphers are you configured for?
I don’t have any certificates configured. Squid is fully transparent (or that’s the idea anyway) i.e. browser creates the secure connection with host. Squid is not intercepting or bumping SSL/TLS connections.
The config I listed in the beginning of the thread is pretty much all what I have in the config. This has been working fine until the latest update where squid also got updated (didn’t check what was the previous version).
On Thu, 04 Jun 2015 18:46:01 +0000, paju2000 wrote:
>> Which describes what the error is.
>>
>>
> Nothing further is reported than what I copied. Only thing I could do is
> report the error to google. Usually there are more clear errors or
> indications giving some hint of the issue but this time none.
That’s very strange. Do any other browsers give more information?
>> I’m thinking the error you’re getting relates to this:
>>
>> https://en.wikipedia.org/wiki/POODLE
>>
>> which has to do with browser fallback to SSLv3.
>>
>> If your Squid server is presenting an SSLv3 certificate (or trying to -
>> for some reason - fall back to SSLv3 instead of using TLS as it
>> connects to the target site for you), then that might explain the error
>> you’re seeing.
>>
>> In your squid configuration, what openssl ciphers are you configured
>> for?
>>
>>
> I don’t have any certificates configured. Squid is fully transparent (or
> that’s the idea anyway) i.e. browser creates the secure connection with
> host. Squid is not intercepting or bumping SSL/TLS connections.
>
> The config I listed in the beginning of the thread is pretty much all
> what I have in the config. This has been working fine until the latest
> update where squid also got updated (didn’t check what was the previous
> version).
Does the connection from the browser work OK without squid? Process of
elimination - if the problem only exists with squid in the picture, then
squid is doing something to cause the problem. If it doesn’t, then it’s
the target site (as it’s google.com, unlikely) or the browser.
Not really. Here’s what Konquerror says about the situation:
The requested operation could not be completed
Timeout Error
Details of the Request:
URL: https://www.google.com/search?q=test&ie=UTF-8
Protocol: https
Date and Time: Sunday 07 June 2015 20:32
Additional Information: www.google.com: Socket operation timed out
Description:
Although contact was made with the server, a response was not received within the amount of time allocated for the request as follows:<ul><li>Timeout for establishing a connection: 20 seconds</li><li>Timeout for receiving a response: 600 seconds</li><li>Timeout for accessing proxy servers: 10 seconds</li></ul>Please note that you can alter these timeout settings in the KDE System Settings, by selecting Network Settings -> Connection Preferences.
Possible Causes:
There may have been a problem at some point along the network path between the server and this computer.
The server was too busy responding to other requests to respond.
Possible Solutions:
Try again, either now or at a later time.
Contact the administrator of the server for further assistance.
>> I’m thinking the error you’re getting relates to this:
>>
>> POODLE - Wikipedia
>>
>> which has to do with browser fallback to SSLv3.
>>
>> If your Squid server is presenting an SSLv3 certificate (or trying to -
>> for some reason - fall back to SSLv3 instead of using TLS as it
>> connects to the target site for you), then that might explain the error
>> you’re seeing.
>>
>> In your squid configuration, what openssl ciphers are you configured
>> for?
>>
>>
> I don’t have any certificates configured. Squid is fully transparent (or
> that’s the idea anyway) i.e. browser creates the secure connection with
> host. Squid is not intercepting or bumping SSL/TLS connections.
>
> The config I listed in the beginning of the thread is pretty much all
> what I have in the config. This has been working fine until the latest
> update where squid also got updated (didn’t check what was the previous
> version).
Does the connection from the browser work OK without squid? Process of
elimination - if the problem only exists with squid in the picture, then
squid is doing something to cause the problem. If it doesn’t, then it’s
the target site (as it’s google.com, unlikely) or the browser.
Without squid things are fine. With squid all https connections I’ve tried fail.
On Sun, 07 Jun 2015 17:46:01 +0000, paju2000 wrote:
>> That’s very strange. Do any other browsers give more information?
>>
>>
> Not really. Here’s what Konquerror says about the situation:
>
> The requested operation could not be completed
>
> Timeout Error
>
> Details of the Request:
>
> URL: https://www.google.com/search?q=test&ie=UTF-8 Protocol: https Date
> and Time: Sunday 07 June 2015 20:32 Additional Information:
> www.google.com: Socket operation timed out Description:
>
> Although contact was made with the server, a response was not received
> within the amount of time allocated for the request as
> follows:<ul><li>Timeout for establishing a connection: 20
> seconds</li><li>Timeout for receiving a response: 600
> seconds</li><li>Timeout for accessing proxy servers: 10
> seconds</li></ul>Please note that you can alter these timeout settings
> in the KDE System Settings, by selecting Network Settings ->
> Connection Preferences.
>
> Possible Causes:
>
> There may have been a problem at some point along the network path
> between the server and this computer.
> The server was too busy responding to other requests to respond.
> Possible Solutions:
>
> Try again, either now or at a later time.
> Contact the administrator of the server for further assistance.
Interesting. What if you fire up Links or Lynx (assuming you have no GUI
on the squid box) and try connecting from it directly to a site you’re
trying to navigate to?
It sounds to me like a routing issue on the squid box from that
description.
>> Does the connection from the browser work OK without squid? Process of
>> elimination - if the problem only exists with squid in the picture,
>> then squid is doing something to cause the problem. If it doesn’t,
>> then it’s the target site (as it’s google.com, unlikely) or the
>> browser.
>>
>>
> Without squid things are fine. With squid all https connections I’ve
> tried fail.
That also would point to a potential routing problem from the squid box.
Server and workstation are the same in my case i.e. full GUI in use. And no, doesn’t help.
>> Does the connection from the browser work OK without squid? Process of
>> elimination - if the problem only exists with squid in the picture,
>> then squid is doing something to cause the problem. If it doesn’t,
>> then it’s the target site (as it’s google.com, unlikely) or the
>> browser.
>>
>>
> Without squid things are fine. With squid all https connections I’ve
> tried fail.
That also would point to a potential routing problem from the squid box.
Sounds logical but how can I check this in detail?
On Sat, 27 Jun 2015 12:36:01 +0000, paju2000 wrote:
>> It sounds to me like a routing issue on the squid box from that
>> description.
>>
>>
> Server and workstation are the same in my case i.e. full GUI in use. And
> no, doesn’t help.
Useful info, might come in handy as we continue to troubleshoot it.
>> That also would point to a potential routing problem from the squid
>> box.
>>
>>
> Sounds logical but how can I check this in detail?
Start by looking at the output of ‘route -n’ on the box.
On Sat, 27 Jun 2015 20:13:30 +0000, Jim Henderson wrote:
> On Sat, 27 Jun 2015 12:36:01 +0000, paju2000 wrote:
>
>>> It sounds to me like a routing issue on the squid box from that
>>> description.
>>>
>>>
>> Server and workstation are the same in my case i.e. full GUI in use.
>> And no, doesn’t help.
>
> Useful info, might come in handy as we continue to troubleshoot it.
>
>>> That also would point to a potential routing problem from the squid
>>> box.
>>>
>>>
>> Sounds logical but how can I check this in detail?
>
> Start by looking at the output of ‘route -n’ on the box.
Actually, I take that back - if the connection works OK from the box
without using squid, then it’s not routing.
So, how do you have the proxy configured in your browser?
Updated tumbleweed again after gcc update and now squid works again. No changes were made to anything by myself so apparently there was some issues in squid itself.
On Sat, 04 Jul 2015 12:26:01 +0000, paju2000 wrote:
> Updated tumbleweed again after gcc update and now squid works again. No
> changes were made to anything by myself so apparently there was some
> issues in squid itself.