我有一个在 Debian Stretch 上运行的 Squid 3.5.23,从 deb 源重新编译并配置为透明代理。我更改了配置以允许 SSL 代理,当我将生成的 Squid 证书安装为受信任的根授权时,它似乎运行正常。Facebook、Google、Kernel.org 和大多数其他 HTTPS 站点都可以通过,并且浏览器正确地认为这些站点的证书颁发机构是代理的。现在,一些网站给我一个证书警告,如果我接受它作为例外,然后是一个错误。
The following error was encountered while trying to retrieve the URL: https://2.16.189.72/*
Failed to establish a secure connection to 2.16.189.72
The system returned:
(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Handshake with SSL server failed: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.
https://wiki.squid-cache.org/(现在这很讽刺)-> 尝试检索 URL 时遇到以下错误:https ://master.squid-cache.org/ *
Failed to establish a secure connection to 104.130.201.120
The system returned:
(71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
SSL Certficate error: certificate issuer (CA) not known: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.
我使用以下命令生成了证书:
openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 \ -keyout mycompany.pem -out mycompany.pem openssl x509 -in mycompany.pem -outform DER -out mycompany.der /usr/lib/squid/ssl_crtd -c -s /etc/squid/certs/ssl_db -M 4MB chown -R proxy.proxy ssl_db
线索?
最后,我通过安装 Squid 4.0.21(目前仍是测试版)解决了这个问题,它有代码来处理这些丢失的证书案例,就像浏览器一样。更多细节在 Squid 的 wiki 中的这个页面。