i was also getting this in my weblogic terminal window:
------------------
javax.net.ssl.SSLProtocolException: FATAL Alert:BAD_RECORD_MAC - A
record was received with an incorrect MAC.
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown
Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown
Source)
at com.certicom.tls.record.MessageInterpreter.fireAlert(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown
Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.read(Unknown Source)
at com.certicom.io.InputSSLIOStreamWrapper.read(Unknown Source)
at weblogic.socket.SSLFilter.isMessageComplete(SSLFilter.java:225)
at weblogic.socket.SocketMuxer.readReadySocketOnce(SocketMuxer.java:697)
at weblogic.socket.SocketMuxer.readReadySocket(SocketMuxer.java:648)
at weblogic.socket.PosixSocketMuxer.processSockets(PosixSocketMuxer.java:123)
at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:32)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
--------------
ok, it seems to be working now, i figured out that i needed no-query
in my cache_peer line. here's my working squid.conf, for those who are
interested:
---------------
https_port 8080 cert=/usr/local/squid/etc/key.crt
key=/usr/local/squid/etc/key.key \
defaultsite=minbedrift.no-ip.com:8080
sslproxy_flags DONT_VERIFY_PEER
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /usr/local/squid/var/logs/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 8080
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow CONNECT localhost
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all
http_reply_access allow all
icp_access allow all
cache_effective_user squid
cache_effective_group squid
cache_peer 192.168.0.150 parent 8080 3130 ssl sslflags=DONT_VERIFY_PEER no-query
---------------
hope this helps somebody and thanks Henrik and Mark for the help =)
Nick Humphrey
2006/11/2, nick humphrey <nick.c.humphrey@gmail.com>:
> i came up with this:
> cache_peer 192.168.150 parent 8080 3130 ssl sslflags=DONT_VERIFY_PEER
> originserver
>
> but it doesn't seem to work. i just tried following the comment
> guidelines in squid.conf for cache_peer, but i'm obviously not doing
> this right.
> there it says, among other things, that:
> "To specify other caches in a hierarchy, use the format"
> but i don't have other caches, i'm just trying to redirect traffic to
> the one machine, wl81machine.
> but if i have to use the cache_peer, then:
> is it supposed to be "parent"?
> i assume 8080 is correct
> i'm confused about the 3130. do i have to make wl81machine listen on
> that port? when i try contacting that port on wl81machine with netcat
> from deb3machine it says "permission denied"
>
> here's my (updated) squid.conf:
> -------------------
> https_port 8080 cert=/usr/local/squid/etc/key.crt
> key=/usr/local/squid/etc/key.key defaultsite=192.168.0.150:8080
> #httpd_accel_no_pmtu_disc on
> #visible_hostname minbedrift.no-ip.com
> sslproxy_flags DONT_VERIFY_PEER
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> access_log /usr/local/squid/var/logs/access.log squid
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563 8080
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> #always_direct allow all
> http_access allow manager localhost
> http_access deny manager
> http_access allow CONNECT localhost
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> #http_access deny CONNECT
> http_access allow all
> http_reply_access allow all
> icp_access allow all
> cache_effective_user squid
> cache_effective_group squid
> cache_peer 192.168.0.150 parent 8080 3130 ssl
> sslflags=DONT_VERIFY_PEER originserver
> ------------------
> the commented out lines are just stuff i've tried in desperation to
> see if they'd help (not sure if they do...)
>
> i don't understand why in https_port:
> defaultsite=192.168.0.150:8080
>
> has to have the port on it as well, since it is already defined in the
> beginning of https_port...
>
> also a dumb question: do i reply to you or just to squid-users? both?
> thanks Henrik,
> Nick
>
> 2006/11/2, Henrik Nordstrom <henrik@henriknordstrom.net>:
> > tor 2006-11-02 klockan 08:40 +0100 skrev nick humphrey:
> >
> > > Ready to serve requests.
> > > Failed to select source for 'https://192.168.0.150:8080/'
> > > always_direct = 0
> > > never_direct = 0
> > > timedout = 0
> >
> > This indicates incomplete accelerator mode configuration, missing the
> > cache_peer telling Squid where the origin server(s) is..
> >
> > Regards
> > Henrik
> >
> >
> >
>
Received on Thu Nov 02 2006 - 07:54:16 MST
This archive was generated by hypermail pre-2.1.9 : Fri Dec 01 2006 - 12:00:02 MST