[squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

Amos Jeffries squid3 at treenet.co.nz
Sun Nov 8 22:19:00 UTC 2015

On 9/11/2015 2:40 a.m., maple wrote:
> hi Amos,
> first of all, thanks very much for your specified answer. and about your
> questions:
> 1) are you the sysadmin for that network? 
> there are actually three networks involved: internal net(I'm fully in charge
> of this) <--->lab network(jump server located, I'm using it to set up ssh
> tunnel from office, I'm just a user in this net) <---> office network(http
> proxy located, I'm just a user)
> 2) and why is there a full separation like that? 
> as I said above, lab network is almost completely separated from others,
> only provide a jump server which allow office network to access with ssh, so
> if i want my internal net located in lab to access internet, the only way is
> to use ssh tunnel to visit http proxy in office range. this is the reason I
> set up like this, I may contact sysadmin to give some way to access internet
> from lab directly which can bypass the ssh tunnel way, but upstream proxy is
> necessary for policy reason.

That would be the best solution. That way they ae both aware of the use,
and can assist you with any problems going through their gateway proxy.

It may be that their proxy does not have TLS/SSL support available. If
so this thread will not be able to come to a happy solution for you anyway.

> I went through solution suggested by you, just confirm in case I don't
> understand it in right way:
> client <---https---> second squid <---proxychains---> first squid <---ssh
> tunnel---> http proxy <--http/https--> internet

I meant:

first squid --(TLS)--]SSH tunnel[--(TLS)--> parent proxy --> Internet

> for first squid("configured with a cache_peer using an IP:port, and also
> using the "ssl" option):
> http_port 3128 intercept
> cache_peer parent 12345 0 no-query no-digest default
> never_direct allow all 
> sslproxy_flags DONT_VERIFY_PEER
> I'm not sure what's exact "ssl"option, but it should not be ssl_bump, right?
> it's appreciated if you can specify it.

Please read the documentation about "SSL / HTTPS / TLS options" for


More information about the squid-users mailing list