OPNsense Forum

Hi,
example...(squid.conf)

# ACL - Remote fetched Blacklist (remoteblacklist)
acl remoteblacklist_yoyoads dstdomain "/usr/local/etc/squid/acl/yoyoads"

but "/usr/local/etc/squid/acl/yoyoads" no exists

url "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml" is ok

till

I believe a connection with the manual edit of squid.user.post_auth.conf . (Parent proxy ; )
system.log says exit status 1 when acl download .
without ......post_auth.conf  the file ( acl ) is created
but it can be downloaded via browser with squid.user.post_auth.conf !?

cheers till

just to troubleshoot, have you tried a different blacklist ?

the download and / or ssl generally seem to have a problem . here are few system logs :


root: Could not download https://pkg.opnsense.org/bogons/fullbogons-ipv4.txt
root: Could not extract fullbogons-ipv4.txt
root: Could not download https://pkg.opnsense.org/bogons/fullbogons-ipv6.txt
root: Could not extract fullbogons-ipv6.txt


### manual curl
curl https://pkg.opnsense.org/bogons/fullbogons-ipv4.txt
curl: (35) Unknown SSL protocol error in connection to pkg.opnsense.org:443


### and another
lighttpd[28925]: (connections.c.1550) SSL: 1 -1 error:140E0197:SSL routines:SSL_shutdown:shutdown while in init



It looks like something is interfering with the SSL connection, likely a proxy with self-signed certificates.

Can you run the following on the console and see what happens?

# fetch https://pkg.opnsense.org/bogons/fullbogons-ipv4.txt


Cheers,
Franco


# fetch https://pkg.opnsense.org/bogons/fullbogons-ipv4.txt
1952873560584:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782:
fetch: https://pkg.opnsense.org/bogons/fullbogons-ipv4.txt: Authentication error


Our server does not run SSLv2/SSLv3 at all, so you're very likely running into a proxy.

https://www.ssllabs.com/ssltest/analyze.html?d=pkg.opnsense.org

Try to dump the server certificate:

# echo | openssl s_client -host pkg.opnsense.org -port 443


Cheers,
Franco

ok

Quote

echo | openssl s_client -host pkg.opnsense.org -port 443
CONNECTED(00000003)
3206976702984:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 291 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1470207206
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

cheers till

Er, ok... Maybe the firewall is blocking SSL itself or the proxy is set up in an incorrect way? I have no clue as this is not something we can change from our end.


Cheers,
Franco

hi franco,

have the firewall turned off times (opnsense) and me the logs from parent proxy looked unfortunately without instructions. also with the set of $ HTTP_PROXY on opnsense switch between itself and parent did not change the behavior. but updates go.

cheers till