# [Dziwny]Problem z otwieraniem stron https

## Bialy

Występuje u mnie prześlicznie-dziwny problem z otwieraniem stron https.

Jednak od początku:

Gentoo używam jako serwera/routera. Zainstalowany Squid i Iptables.

HTTP przekierowywane do Squid:

```
[I] net-proxy/squid

     Available versions:  2.7.9 3.1.15 3.1.16 ~3.1.18 3.1.19 {caps ecap elibc_uclibc +epoll icap-client ipf-transparent ipv6 kerberos kernel_linux kqueue ldap logrotate mysql nis pam pf-transparent postgres radius samba sasl selinux snmp sqlite ssl test tproxy zero-penalty-hit}

     Installed versions:  3.1.19(10:35:30 10.05.2012)(epoll kernel_linux logrotate pam sqlite ssl -caps -ecap -elibc_uclibc -icap-client -ipf-transparent -ipv6 -kerberos -kqueue -ldap -mysql -nis -pf-transparent -postgres -radius -samba -sasl -selinux -snmp -test -tproxy -zero-penalty-hit)

cat /etc/squid/squid.conf

http_port 8080 transparent

maximum_object_size 1024 MB

cache_dir ufs /home/squid 1024 32 256

visible_hostname cos.tam.pl

acl manager proto cache_object

acl localhost src 127.0.0.1/32

acl siec src 000.111.222.333/24

http_access allow manager localhost

http_access deny manager

http_access allow siec

http_access deny all

[I] net-firewall/iptables

     Available versions:  1.4.6 1.4.10 ~1.4.10-r1 1.4.11.1-r2 ~1.4.12 1.4.12.1 ~1.4.12.1-r1 1.4.13 ~1.4.13-r1 {ipv6 netlink static-libs}

     Installed versions:  1.4.13(10:10:14 10.05.2012)(-ipv6 -netlink -static-libs)

iptables -t nat -A PREROUTING -i $LAN -p tcp --dport 80 -j REDIRECT -d $LAN_IP --to 8080
```

Problem obiawia się tym, iż nie mogę wejść na strony https://facebook.com oraz https://www.hotmail.com

Inne strony http oraz https działają bez zarzutu.

Facebook działa tak jak bym go widział pod likns (wyświetla się bez tła, obrazków itp.), a hotmail nie ładuje się w ogóle.

Problem występuje na wszystkich komputerach w sieci i na wszystkich przeglądarkach.

Przestała działać nawet dedykowana aplikacja do facebook'a na Androidzie.

Ze względu na zasięg występowania problemu podejrzewam, że za całą sprawą stoi Gentoo.

Może ktoś mnie nakierować co może być problemem?

----------

## SlashBeast

Transparent to nie jest dobry pomysl anyway ale wykonujesz to tez dla 443? Curlem z verbose sprawdz.

----------

## Bialy

 *SlashBeast wrote:*   

> Transparent to nie jest dobry pomysl anyway ale wykonujesz to tez dla 443? Curlem z verbose sprawdz.

 Dla 443 nie mam żadnej regułki Itpables

--EDIT--

Dziwne  :Shocked: 

```
curl -v https://hotmail.com

* About to connect() to hotmail.com port 443 (#0)

*   Trying 65.55.72.151... connected

* SSLv3, TLS handshake, Client hello (1):

* SSLv3, TLS handshake, Server hello (2):

* SSLv3, TLS handshake, CERT (11):

* SSLv3, TLS alert, Server hello (2):

* SSL certificate problem, verify that the CA cert is OK. Details:

error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

* Closing connection #0

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:

error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option.

If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL).

If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
```

Jest to wynik z klienta Win64.

Cudując, czyli z okcją '-k':

```
curl -v -k https://hotmail.com

* About to connect() to hotmail.com port 443 (#0)

*   Trying 65.55.72.151... connected

* SSLv3, TLS handshake, Client hello (1):

* SSLv3, TLS handshake, Server hello (2):

* SSLv3, TLS handshake, CERT (11):

* SSLv3, TLS handshake, Server finished (14):

* SSLv3, TLS handshake, Client key exchange (16):

* SSLv3, TLS change cipher, Client hello (1):

* SSLv3, TLS handshake, Finished (20):

* SSLv3, TLS change cipher, Client hello (1):

* SSLv3, TLS handshake, Finished (20):

* SSL connection using AES128-SHA

* Server certificate:

*        subject: C=US; ST=WA; L=Redmond; O=Microsoft; OU=WindowsLive; CN=mail.live.com

*        start date: 2011-04-26 18:32:44 GMT

*        expire date: 2013-04-25 18:32:44 GMT

*        subjectAltName: hotmail.com matched

*        issuer: DC=com; DC=microsoft; DC=corp; DC=redmond; CN=Microsoft Secure Server Authority

*        SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

> GET / HTTP/1.1

> User-Agent: curl/7.23.1 (x86_64-pc-win32) libcurl/7.23.1 OpenSSL/0.9.8r zlib/1.2.5

> Host: hotmail.com

> Accept: */*

>

< HTTP/1.1 302 Found

< Cache-Control: no-cache, no-store, must-revalidate, no-transform

< Pragma: no-cache

< Content-Type: text/html; charset=utf-8

< Expires: -1

< Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1338936266&rver=6.1.6206.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-US&cbcxt=mai

< Server: Microsoft-IIS/7.5

< xxn: 16

< P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"

< Set-Cookie: KVC=16.2.7030.0523; domain=.mail.live.com; path=/

< Set-Cookie: KVC=16.2.7030.0523; domain=.mail.live.com; path=/

< Set-Cookie: KSC=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/

< Set-Cookie: kr=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/

< Set-Cookie: bsc=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/

< Set-Cookie: rru=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/

< Set-Cookie: prc=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/

< Set-Cookie: mt=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/

< Set-Cookie: DWN=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/

< MSNSERVER: H: SNT132-W16 V: 16.2.7030.523 D: 2012-05-24T04:59:29

< Date: Tue, 05 Jun 2012 22:44:25 GMT

< Content-Length: 341

<

<html><head><title>Object moved</title></head><body>

<h2>Object moved to <a href="https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=11&amp;ct=1338936266&amp;rver=6.1.6206.0&amp;wp=MBI_SSL_SHARED&amp;wreply=https:%2F%2Fmail.live.com%2Fdefault.aspx&amp;lc=1033&amp;id=64855&amp;mkt=en-US&amp;cbcxt=mai">here</a>.</h2>

</body></html>

* Connection #0 to host hotmail.com left intact

* Closing connection #0

* SSLv3, TLS alert, Client hello (1):
```

Na serwerze niby śmiga:

```
curl -v https://hotmail.com

* About to connect() to hotmail.com port 443 (#0)

*   Trying 65.55.72.167...

* connected

* Connected to hotmail.com (65.55.72.167) port 443 (#0)

* found 165 certificates in /etc/ssl/certs/ca-certificates.crt

*        server certificate verification OK

*        common name: mail.live.com (matched)

*        server certificate expiration date OK

*        server certificate activation date OK

*        certificate public key: RSA

*        certificate version: #3

*        subject: C=US,ST=WA,L=Redmond,O=Microsoft,OU=WindowsLive,CN=mail.live.com

*        start date: Tue, 26 Apr 2011 18:32:44 GMT

*        expire date: Thu, 25 Apr 2013 18:32:44 GMT

*        issuer: DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority

*        compression: NULL

*        cipher: AES-128-CBC

*        MAC: SHA1

> GET / HTTP/1.1

> User-Agent: curl/7.24.0 (x86_64-pc-linux-gnu) libcurl/7.24.0 GnuTLS/2.12.18 zlib/1.2.5.1

> Host: hotmail.com

> Accept: */*

>

< HTTP/1.1 302 Found

< Cache-Control: no-cache, no-store, must-revalidate, no-transform

< Pragma: no-cache

< Content-Type: text/html; charset=utf-8

< Expires: -1

< Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1338935663&rver=6.1.6206.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-US&cbcxt=mai

< Server: Microsoft-IIS/7.5

< xxn: 58

< P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"

< Set-Cookie: KVC=16.2.7030.0523; domain=.mail.live.com; path=/

< Set-Cookie: KVC=16.2.7030.0523; domain=.mail.live.com; path=/

< Set-Cookie: KSC=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/

< Set-Cookie: kr=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/

< Set-Cookie: bsc=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/

< Set-Cookie: rru=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/

< Set-Cookie: prc=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/

< Set-Cookie: mt=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/

< Set-Cookie: DWN=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/

< MSNSERVER: H: SNT133-W58 V: 16.2.7030.523 D: 2012-05-24T04:59:29

< Date: Tue, 05 Jun 2012 22:34:23 GMT

< Content-Length: 341

<

<html><head><title>Object moved</title></head><body>

<h2>Object moved to <a href="https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=11&amp;ct=1338935663&amp;rver=6.1.6206.0&amp;wp=MBI_SSL_SHARED&amp;wreply=https:%2F%2Fmail.live.com%2Fdefault.aspx&amp;lc=1033&amp;id=64855&amp;mkt=en-US&amp;cbcxt=mai">here</a>.</h2>

</body></html>

* Connection #0 to host hotmail.com left intact

* Closing connection #0
```

--EDIT2--

Masakracja...

HTTPS facebook'a zaczął działać (nawet na Androidzie).

Jednak na hotmail nadal nie mogę się dostać (wyświetla się tylko pusta, biała strona).

Po prostu tego nie ogarniam  :Confused: 

--EDIT3--

I znów przestało działać  :Crying or Very sad: 

----------

