starred/goproxy

Fork 0

mirror of https://github.com/snail007/goproxy.git synced 2026-04-27 00:15:51 +03:00

[GH-ISSUE #56] Certificate verification failed in sps mode #33

New issue

Closed

opened 2026-02-27 23:15:07 +03:00 by kerem · 6 comments

kerem commented

2026-02-27 23:15:07 +03:00

Owner

Originally created by @robot-aquila on GitHub (Apr 18, 2018).
Original GitHub issue: https://github.com/snail007/goproxy/issues/56

Hello

I want to forward https traffic from squid+sslbump to socks via goproxy. In such mode squid requires TLS connection with a parent proxy. If I run goproxy sps mode it fails on certificate verification both in goproxy and squid. But if I run it in http mode everything works fine.

sps config

sps
--cert=/etc/ssl/ca-pluto.free/go-proxy.pluto.free.crt
--key=/etc/ssl/ca-pluto.free/go-proxy.pluto.free.key
--ca=/etc/ssl/ca-pluto.free/ca-pluto.free.crt
--local=127.0.0.1:4129
--local-type=tls
--parent=127.0.0.1:9050
--parent-type=tcp
--parent-service-type=socks
--dns-address=127.0.0.1:53
--dns-ttl=300
--debug
--log=/var/log/go-proxy/proxy.log

Gives in squid logs

Error negotiating SSL on FD 12: error14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate (1/0/0)
TCP connection to 127.0.0.1/4129 failed

goproxy log

2018/04/18 15:19:26.094414 sps.go:101: tls http(s)+socks proxy on 127.0.0.1:4129
2018/04/18 15:20:06.536140 sps.go:137: ERR:tls: failed to verify client's certificate: x509: certificate signed by unknown authority
2018/04/18 15:20:06.536251 sps.go:128: connect to tcp parent 127.0.0.1:9050 fail, ERR:tls: failed to verify client's certificate: x509: certificate signed by unknown authority from 127.0.0.1:54256

For http mode

http
--cert=/etc/ssl/ca-pluto.free/go-proxy.pluto.free.crt
--key=/etc/ssl/ca-pluto.free/go-proxy.pluto.free.key
--ca=/etc/ssl/ca-pluto.free/ca-pluto.free.crt
--local=127.0.0.1:4129
--local-type=tls
--dns-address=127.0.0.1:53
--dns-ttl=300
--debug
--log=/var/log/go-proxy/proxy.log

Gives ok in goproxy log

2018/04/18 15:23:22.463111 http.go:146: tls http(s) proxy on 127.0.0.1:4129
2018/04/18 15:23:35.614123 structs.go:360: CONNECT:github.com:443
2018/04/18 15:23:35.736690 http.go:189: use proxy : false, github.com:443

Is there possible some kind of bug in goproxy or just bad config or misunderstanding?
Thanks

Originally created by @robot-aquila on GitHub (Apr 18, 2018). Original GitHub issue: https://github.com/snail007/goproxy/issues/56 Hello I want to forward https traffic from squid+sslbump to socks via goproxy. In such mode squid requires TLS connection with a parent proxy. If I run goproxy sps mode it fails on certificate verification both in goproxy and squid. But if I run it in http mode everything works fine. sps config sps --cert=/etc/ssl/ca-pluto.free/go-proxy.pluto.free.crt --key=/etc/ssl/ca-pluto.free/go-proxy.pluto.free.key --ca=/etc/ssl/ca-pluto.free/ca-pluto.free.crt --local=127.0.0.1:4129 --local-type=tls --parent=127.0.0.1:9050 --parent-type=tcp --parent-service-type=socks --dns-address=127.0.0.1:53 --dns-ttl=300 --debug --log=/var/log/go-proxy/proxy.log Gives in squid logs Error negotiating SSL on FD 12: error14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate (1/0/0) TCP connection to 127.0.0.1/4129 failed goproxy log 2018/04/18 15:19:26.094414 sps.go:101: tls http(s)+socks proxy on 127.0.0.1:4129 2018/04/18 15:20:06.536140 sps.go:137: ERR:tls: failed to verify client's certificate: x509: certificate signed by unknown authority 2018/04/18 15:20:06.536251 sps.go:128: connect to tcp parent 127.0.0.1:9050 fail, ERR:tls: failed to verify client's certificate: x509: certificate signed by unknown authority from 127.0.0.1:54256 For http mode http --cert=/etc/ssl/ca-pluto.free/go-proxy.pluto.free.crt --key=/etc/ssl/ca-pluto.free/go-proxy.pluto.free.key --ca=/etc/ssl/ca-pluto.free/ca-pluto.free.crt --local=127.0.0.1:4129 --local-type=tls --dns-address=127.0.0.1:53 --dns-ttl=300 --debug --log=/var/log/go-proxy/proxy.log Gives ok in goproxy log 2018/04/18 15:23:22.463111 http.go:146: tls http(s) proxy on 127.0.0.1:4129 2018/04/18 15:23:35.614123 structs.go:360: CONNECT:github.com:443 2018/04/18 15:23:35.736690 http.go:189: use proxy : false, github.com:443 Is there possible some kind of bug in goproxy or just bad config or misunderstanding? Thanks

kerem

2026-02-27 23:15:07 +03:00

closed this issue
added the
bug
label

kerem commented

2026-02-27 23:15:08 +03:00

Author

Owner

@snail007 commented on GitHub (Apr 19, 2018):

In sps mode , the error message “ERR:tls: failed to verify client's certificate: x509: certificate signed by unknown authority” means that client (in your case is:squid ) doesn’t provided a certificate signed by ca : “/etc/ssl/ca-pluto.free/ca-pluto.free.crt”
In http mode,the log is ok,but what the client is?

@snail007 commented on GitHub (Apr 19, 2018): In sps mode , the error message “ERR:tls: failed to verify client's certificate: x509: certificate signed by unknown authority” means that client (in your case is:squid ) doesn’t provided a certificate signed by ca : “/etc/ssl/ca-pluto.free/ca-pluto.free.crt” In http mode,the log is ok,but what the client is?

kerem commented

2026-02-27 23:15:08 +03:00

Author

Owner

@robot-aquila commented on GitHub (Apr 19, 2018):

Both mode is squid with same certificate. Both certificates signed by ca-pluto.free.crt This is descriptor of parent goproxy in squid config

cache_peer 127.0.0.1 parent 4129 0 no-query no-netdb-exchange ssl \
sslcert=/etc/ssl/ca-pluto.free/squid.pluto.free.crt \
sslkey=/etc/ssl/ca-pluto.free/squid.pluto.free.key \
tls-cafile=/etc/ssl/ca-pluto.free.crt \
ssldomain=go-proxy.pluto.free \
tls-default-ca=off \
tls-options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE

It is same for http and sps goproxy. I change mode of goproxy only. Certificates work well in http mode because I see go-proxy.pluto.free new certificate reissued and signed by squid when I run goproxy (as expected for sslbump, there is another problem but I guess it is squid problem) in http mode. But in sps mode it does not work

@robot-aquila commented on GitHub (Apr 19, 2018): Both mode is squid with same certificate. Both certificates signed by ca-pluto.free.crt This is descriptor of parent goproxy in squid config cache_peer 127.0.0.1 parent 4129 0 no-query no-netdb-exchange ssl \\ sslcert=/etc/ssl/ca-pluto.free/squid.pluto.free.crt \\ sslkey=/etc/ssl/ca-pluto.free/squid.pluto.free.key \\ tls-cafile=/etc/ssl/ca-pluto.free.crt \\ ssldomain=go-proxy.pluto.free \\ tls-default-ca=off \\ tls-options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE It is same for http and sps goproxy. I change mode of goproxy only. Certificates work well in http mode because I see go-proxy.pluto.free new certificate reissued and signed by squid when I run goproxy (as expected for sslbump, there is another problem but I guess it is squid problem) in http mode. But in sps mode it does not work

kerem commented

2026-02-27 23:15:08 +03:00

Author

Owner

@snail007 commented on GitHub (Apr 19, 2018):

I recheck sps service code , and find it is a bug, i forgot add "ca cert bytes" to tls listener.
this fixed in dev branch,you can pre build to solve it.
v4.7 will fix this,and coming soon.
Thx.

@snail007 commented on GitHub (Apr 19, 2018): I recheck sps service code , and find it is a bug, i forgot add "ca cert bytes" to tls listener. this fixed in dev branch,you can pre build to solve it. v4.7 will fix this,and coming soon. Thx.

kerem commented

2026-02-27 23:15:08 +03:00

Author

Owner

@robot-aquila commented on GitHub (Apr 19, 2018):

Thank you very much

@robot-aquila commented on GitHub (Apr 19, 2018): Thank you very much

kerem commented

2026-02-27 23:15:08 +03:00

Author

Owner

@xxhdxh commented on GitHub (Apr 19, 2018):