[squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

maple maple.feng.wang at hotmail.com
Thu Nov 5 02:47:37 UTC 2015

sorry, I post my question again since last time I was not a subscriber yet.



after a lot of google, I finally got this post, I met the exactly same
problem as you, and can't use squid  to handle https traffic behind parent
proxy. I also tried with proxychains + squid, but without luck, it didn't
work, so could I ask your configuration about proxychains + squid ? this is

for proxychains, it's very easy:
http 12345 (for some reason, I must use ssh reverse tunnel to map
my parent http proxy to my local port 12345)

for squid 3.4:
http_access allow all
http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/squid.crt
always_direct allow all
ssl_bump server-first all
sslproxy_cert_error allow all
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB
sslcrtd_children 8 startup=1 idle=1
coredump_dir /var/spool/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320

my iptables rules:
-A PROXY -p tcp --dport 80 -j REDIRECT --to-ports 3128
-A PROXY -p tcp --dport 443 -j REDIRECT --to-ports 3129

and in the last, i use the proxychains to chain them together:
proxychains4 -f proxychains.conf squid -f /etc/squid/squid.conf

but it didn't work both for http and https, I checked the http log, it
turned out that it's denied by squid, but I'm sure ACL settings should be
fine. so I switched squid setting back to use cache_peer, then http works,
then I modify the proxychains.conf to use proxy which doesn't exist, then
chain the squid again, http still work, so I'm pretty sure proxychains is
not working for chaining parent proxy and squid together.

but I have tested proxychains in my environment with other commands like yum
or telnet, they works fine, why it can't work for squid, is it because squid
run as daemon? so how did you integrate them? thanks in advance.

best regards. 

View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-bump-with-cache-peer-problem-Handshake-fail-after-Client-Hello-tp4672064p4674381.html
Sent from the Squid - Users mailing list archive at Nabble.com.

More information about the squid-users mailing list