[squid-users] transparent proxy https and self signed certificate error

[Rafael Akchurin]

Hello Robert,

Just my two cents - if you remove or comment out the
  sslproxy_cert_error allow all
  sslproxy_flags DONT_VERIFY_PEER

from squid config - may it be that squid starts complaining - "cannot get cert issues locally" on the google sites?

Rafael.

From: Robert Watson <robert at gillecaluim.com<mailto:robert at gillecaluim.com>>
Date: Sunday 5 October 2014 02:29
To: "squid-users at lists.squid-cache.org<mailto:squid-users at lists.squid-cache.org>" <squid-users at lists.squid-cache.org<mailto:squid-users at lists.squid-cache.org>>
Subject: [squid-users] transparent proxy https and self signed certificate error

using squid 3.4.8, compiled from source with ./configure flags --enable-icap-client --enable-ssl --enable-ssl-crtd
configured iptables for transparent proxy (redirect 80 to 3128) and everything works fine

configured iptables for transparent proxy (redirect 443 to 3127) but can't get transparent proxy for https to work
my squid.conf
...
# Squid https port
https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/XXX.pem
acl broken_sites dstdomain .example.com<http://example.com>
ssl_bump none localhost
ssl_bump none broken_sites
ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 32 startup=5 idle=1

when visiting google (or any other https site) chrome complains
NET::ERR_CERT_AUTHORITY_INVALID
I tried using internet explorer as admin and imported the self signed certificate but that hasn't helped

can anyone please with how to debug this
thanks, Robert

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141005/3cb55eab/attachment.html>