OPNsense Forum
Archive => 16.7 Legacy Series => Topic started by: tillsense on July 28, 2016, 09:18:51 am
-
Hi,
example...(squid.conf)
# ACL - Remote fetched Blacklist (remoteblacklist)
acl remoteblacklist_yoyoads dstdomain "/usr/local/etc/squid/acl/yoyoads"
but "/usr/local/etc/squid/acl/yoyoads" no exists
url "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml" is ok
till
-
I believe a connection with the manual edit of squid.user.post_auth.conf . (Parent proxy ; )
system.log says exit status 1 when acl download .
without ......post_auth.conf the file ( acl ) is created
but it can be downloaded via browser with squid.user.post_auth.conf !?
cheers till
-
just to troubleshoot, have you tried a different blacklist ?
-
the download and / or ssl generally seem to have a problem . here are few system logs :
root: Could not download https://pkg.opnsense.org/bogons/fullbogons-ipv4.txt
root: Could not extract fullbogons-ipv4.txt
root: Could not download https://pkg.opnsense.org/bogons/fullbogons-ipv6.txt
root: Could not extract fullbogons-ipv6.txt
### manual curl
curl https://pkg.opnsense.org/bogons/fullbogons-ipv4.txt
curl: (35) Unknown SSL protocol error in connection to pkg.opnsense.org:443
### and another
lighttpd[28925]: (connections.c.1550) SSL: 1 -1 error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
-
It looks like something is interfering with the SSL connection, likely a proxy with self-signed certificates.
Can you run the following on the console and see what happens?
# fetch https://pkg.opnsense.org/bogons/fullbogons-ipv4.txt
Cheers,
Franco
-
# fetch https://pkg.opnsense.org/bogons/fullbogons-ipv4.txt
1952873560584:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782:
fetch: https://pkg.opnsense.org/bogons/fullbogons-ipv4.txt: Authentication error
-
Our server does not run SSLv2/SSLv3 at all, so you're very likely running into a proxy.
https://www.ssllabs.com/ssltest/analyze.html?d=pkg.opnsense.org
Try to dump the server certificate:
# echo | openssl s_client -host pkg.opnsense.org -port 443
Cheers,
Franco
-
ok
echo | openssl s_client -host pkg.opnsense.org -port 443
CONNECTED(00000003)
3206976702984:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 291 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1470207206
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
cheers till
-
Er, ok... Maybe the firewall is blocking SSL itself or the proxy is set up in an incorrect way? I have no clue as this is not something we can change from our end.
Cheers,
Franco
-
hi franco,
have the firewall turned off times (opnsense) and me the logs from parent proxy looked unfortunately without instructions. also with the set of $ HTTP_PROXY on opnsense switch between itself and parent did not change the behavior. but updates go.
cheers till