Sophos had this error with chrome too, they were able to patch it. https://community.sophos.com/products/unified-threat-management/f/general-discussion/91085/https-scanning-web-protection-ssl-error-err_cert_common_name_invalid

Hi,

You'll may want to check this out.

http://bugs.squid-cache.org/show_bug.cgi?id=4005

Avast and their security scan are known to produce similar crap as well.

Almost always, the answer is the regular version. Development happens in -devel that can make it unstable at times. It could also be built against a newer version of haproxy but with the same frontend/GUI code.

The only time to use -devel is if you know for certain that -devel contains a feature you require that is not present in the regular version, and you are OK with possible instability.

I found solution with WPAD at the moment.
So, lets see how its work.

Hi,
I have faced same issue too. I found nothing so I performed a clean install. The strange thing in my case was that if open ACL lists everythink looked fine with all changes I performed,despite system was not accept my changes :-\

My situation is the same
in addition
When I make a change to squid or squidguard, the computer's processor is running at 100% for about 30-40 seconds.
At this time, users can not connect to the web.
Then the use of processors falls slowly
Then it is possible to connect to the web.

hi!
I know that this is very old old post
but I have the same issue…
download started for example I was downloading a 4 mb file and randomly it says 0 b/s no error just stay there :(
if I disable squid it finished ok....

thanks
Chris

On a system with <4 gigs of storage? Yes that most certainly should be removed, plus run

rm -rf /var/db/ntopng/

after that.

I do not know if I would downplay this package heh.

Does anyone have anyidea why SSL_RECORD_TOO_LONG happens with blocked sites?

Hi!
Thanks for your help.

I think my settings can't see the full URL.
because squidguard blacklist log just like this.

"play.google.com:443 Request(PROXY_BASIC/none/-) - CONNECT REDIRECT"

so how to set a method that can see the full URL?

Thank you.

Installed Version:pfSense(2.3.3-RELEASE-p1 (amd64) ) with Squid(0.4.36_2) and SquidGuard(1.16.1)

Trying to debug the thing, I decided to turn off the SSL Man In the Middle Filtering, just to see if I could get Squid and pfsense on AWS to act as a regular proxy and take it from there. Turns out that that one did not work either  :(

I tried a normal, non-ssl, site and still get Access Denied. I wonder if there is something weird with AWS and their network that is acting up on me?

On the Inbound rules I have:

HTTP            TCP 80 0.0.0.0/0 Custom UDP Rule UDP 1194 0.0.0.0/0 SSH            TCP 22 0.0.0.0/0 Custom TCP Rule TCP 3128 - 3129 0.0.0.0/0 HTTPS          TCP 443 0.0.0.0/0

And on outbound, nothing

Transparent squid will bind.to the default gateway, it does not follow policy routing

@aeleus:

I have a similar issue.

Everything was working as expected using HTTP.

I recently switched the webConfigurator (System/Advanced/Admin Access) from HTTP to HTTPS.

Now, that redirects everything to HTTPS - including SquidGuard redirects that are set to HTTP.

From squidGuard.conf:

default  {
pass Internal Allowed !in-addr !Blocked none
redirect 301:http://proxy.mydomain.net/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
log block.log
}

That would be fine except that I have this in squidGuard.conf:

dest blk_BL_adv {
domainlist blk_BL_adv/domains
urllist blk_BL_adv/urls
redirect http://10.0.0.1:80/sgerror.php?url=blank_img&msg=&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
log block.log
}

That gives me certificate errors when it redirects to https://10.0.0.1/….

I don't know why that's the only entry - aside from the default and explicit ACL's that I set - that has a redirect.

Any thoughts on how to change it?

To get rid of the certificate errors for sgerror happens, you need to create a certificate for your server. Specify the alternative names for your server like FQDN and IP address of the server.

@doktornotor:

There is no need for MITM nor for installing certificates on clients when you explicitly set the proxy on clients. Squid will use CONNECT for HTTPS on sslports ACL to connect to HTTPS websites. If you want MITM, make the proxy transparent and stop configuring it on clients.

I want to be able to see HTTPS traffic for both inspection + caching. I've tried not configuring the proxy on clients and leaving on transparent mode. That's throwing errors too. Am I the only one having this issue?? I'm guessing the DNS alternative name isn't being mimicked by Squid properly. Since on Chrome mobile, that's an error it's saying "DNS alternative name invalid".

At the risk of stating the obvious: exemple is NOT the same thing as example. You keep producing that typo over and over and over again. When you keep obfuscating your setup and producing collateral typos in the way, it's impossible for others to debug anyway.

You've already been told how to debug in the post directly above.

thank you!!