Blacklist Download not working

[tillsense]

Hi,
example...(squid.conf)

# ACL - Remote fetched Blacklist (remoteblacklist)
acl remoteblacklist_yoyoads dstdomain "/usr/local/etc/squid/acl/yoyoads"

but "/usr/local/etc/squid/acl/yoyoads" no exists

url "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml" is ok

till

[tillsense]

I believe a connection with the manual edit of squid.user.post_auth.conf . (Parent proxy ; )
system.log says exit status 1 when acl download .
without ......post_auth.conf  the file ( acl ) is created
but it can be downloaded via browser with squid.user.post_auth.conf !?

cheers till

[Julien]

just to troubleshoot, have you tried a different blacklist ?

[tillsense]

the download and / or ssl generally seem to have a problem . here are few system logs :

Code Select Expand


root: Could not download https://pkg.opnsense.org/bogons/fullbogons-ipv4.txt
root: Could not extract fullbogons-ipv4.txt
root: Could not download https://pkg.opnsense.org/bogons/fullbogons-ipv6.txt
root: Could not extract fullbogons-ipv6.txt


### manual curl
curl https://pkg.opnsense.org/bogons/fullbogons-ipv4.txt
curl: (35) Unknown SSL protocol error in connection to pkg.opnsense.org:443


### and another
lighttpd[28925]: (connections.c.1550) SSL: 1 -1 error:140E0197:SSL routines:SSL_shutdown:shutdown while in init



[franco]

It looks like something is interfering with the SSL connection, likely a proxy with self-signed certificates.

Can you run the following on the console and see what happens?

# fetch https://pkg.opnsense.org/bogons/fullbogons-ipv4.txt


Cheers,
Franco

[tillsense]

Code Select Expand


# fetch https://pkg.opnsense.org/bogons/fullbogons-ipv4.txt
1952873560584:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782:
fetch: https://pkg.opnsense.org/bogons/fullbogons-ipv4.txt: Authentication error


[franco]

Our server does not run SSLv2/SSLv3 at all, so you're very likely running into a proxy.

https://www.ssllabs.com/ssltest/analyze.html?d=pkg.opnsense.org

Try to dump the server certificate:

# echo | openssl s_client -host pkg.opnsense.org -port 443


Cheers,
Franco

[tillsense]

ok

echo | openssl s_client -host pkg.opnsense.org -port 443
CONNECTED(00000003)
3206976702984:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 291 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1470207206
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

cheers till

[franco]

Er, ok... Maybe the firewall is blocking SSL itself or the proxy is set up in an incorrect way? I have no clue as this is not something we can change from our end.


Cheers,
Franco

[tillsense]

hi franco,

have the firewall turned off times (opnsense) and me the logs from parent proxy looked unfortunately without instructions. also with the set of $ HTTP_PROXY on opnsense switch between itself and parent did not change the behavior. but updates go.

cheers till