[squid-users] Establishing secure conection problems (Chrome)

Amos Jeffries squid3 at treenet.co.nz
Fri Jun 3 05:43:54 UTC 2016

On 3/06/2016 1:35 a.m., William Ivanski wrote:
> Thank you for your quick response.
> First of all forgive me for the lack of information in the first
> email. I've tried to disable QUIC a few minutes ago and the problem
> persists. Follow the information requested:
> -> Compilation:
> I've installed squid using the following commands:
>     cd /usr/src
>     apt-get install squid3
>     wget http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.15-20160330-r14015.tar.gz
>     tar xvzf squid-3.5.15-20160330-r14015.tar.gz
>     cd squid-3.5.15-20160330-r14015

NP: when building your own always build the latest. Today that would be
one of the 3.5.19 snapshots.

>     apt-get build-dep squid3 && apt-get install build-essential libssl-dev
>     ./configure --enable-icap-client --enable-ssl --enable-ssl-crtd
> --prefix=/usr --includedir=/usr/include --mandir=/usr/share/man
> --infodir=/usr/share/info --sysconfdir=/etc --localstatedir=/var
> --libexecdir=/lib/squid3 --srcdir=. --datadir=/usr/share/squid3
> --sysconfdir=/etc/squid3 --mandir=/usr/share/man
> --with-default-user=squid --with- cppunit-config-basedir=/usr
> --with-logdir=/var/log/squid3 --with-pidfile=/var/run/squid3.pid
> --with-openssl --disable-optimizations --disable-arch-native
>     service squid3 stop
>     make all && make install
>     useradd squid && chown -R squid:squid /var/log/squid3

Don't. The squid3 package install created the necessary user and
permissions for all required things.

You just need to build with the same default-user settings as Debian.
IIRC that is --with-default-user=proxy

>     mv /usr/sbin/squid3 /usr/sbin/squid3.old && mv/usr/sbin/squid
> /usr/sbin/squid3
>     /lib/squid3/ssl_crtd -c -s /var/lib/ssl_db -M 4 MB
>     chown -R squid:squid /var/lib/ssl_db
>     service squid3 restart && service squid3 stop && chmod 777
> /var/spool/squid3 && squid3 -z && service squid3 restart

Same here.

> OBS: We're not using ssl_crtd/ssl_db anymore. Our previous squid conf
> was using intercept, but the actual one isn't configured as
> transparent proxy.

If that is so then any problems Chrome or other agents might be having
are not related to Squid.

They are just creating opaque tunnels through the proxy and doing TLS
stuff end-to-end. There is no reason for the proxy to have TLS/SSL
capabilities at all in that kind of setup.

The config you posted confirms. The OpenSSL abilities you custom
compiled to add to the proxy are not being used in any way.


More information about the squid-users mailing list