我有一个在Debian Stretch上运行的Squid 3.5.23,从deb源文件重新编译并configuration为透明代理。 我改变了configuration,以便允许SSL代理,并且当我将生成的Squid证书安装为受信任的根权限时,似乎运行正常。 Facebook,Google,Kernel.org和其他大多数HTTPS站点都通过OK,浏览器正确认为这些站点的证书权限是代理的。 现在,有些网站给我一个证书警告,然后错误,如果我接受它作为例外。
https://elpais.com – >
The following error was encountered while trying to retrieve the URL: https://2.16.189.72/* Failed to establish a secure connection to 2.16.189.72 The system returned: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE) Handshake with SSL server failed: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials. https://wiki.squid-cache.org/ (现在很讽刺) – >尝试检索URL时遇到以下错误: https : //master.squid-cache.org/ *
Failed to establish a secure connection to 104.130.201.120 The system returned: (71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) SSL Certficate error: certificate issuer (CA) not known: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.
我使用以下命令生成证书:
openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -keyout mycompany.pem -out mycompany.pem openssl x509 -in mycompany.pem -outform DER -out mycompany.der / usr / lib / squid / ssl_crtd -c -s / etc / squid / certs / ssl_db -M 4MB chown -R proxy.proxy ssl_db
线索?
最后,我通过安装Squid 4.0.21(目前还是一个testing版)解决了这个问题,它有代码来处理浏览器这些缺失的证书情况。 更多细节在这个页面在Squid的维基 。