我在 Debian Stretch 上运行 Squid 3.5.23,从 deb 源重新编译并配置为透明代理。我更改了配置以允许 SSL 代理,当我将生成的 Squid 证书安装为受信任的根颁发机构时,它似乎运行正常。Facebook、Google、Kernel.org 和大多数其他 HTTPS 网站都通过了,浏览器正确地认为这些网站的证书颁发机构是代理的。现在,如果我将其作为例外接受,某些网站会向我发出证书警告,然后出现错误。
The following error was encountered while trying to retrieve the URL: https://2.16.189.72/*
Failed to establish a secure connection to 2.16.189.72
The system returned:
(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Handshake with SSL server failed: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.
https://wiki.squid-cache.org/(现在那很讽刺)-> 尝试检索 URL 时遇到以下错误:https://master.squid-cache.org/*
Failed to establish a secure connection to 104.130.201.120
The system returned:
(71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
SSL Certficate error: certificate issuer (CA) not known: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.
我使用以下命令生成了证书:
openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 \ -keyout mycompany.pem -out mycompany.pem openssl x509 -in mycompany.pem -outform DER -out mycompany.der /usr/lib/squid/ssl_crtd -c -s /etc/squid/certs/ssl_db -M 4MB chown -R proxy.proxy ssl_db
线索?
答案1
最后,我通过安装 Squid 4.0.21(目前仍为测试版)解决了这个问题,它有代码来处理这些缺少证书的情况,就像浏览器一样。更多详情在 Squid wiki 的这个页面上。