[squid-users] HTTPS woes

[Amos Jeffries]

On 14/04/2017 6:00 a.m., Yuri Voinov wrote:
> 
> 
> 13.04.2017 22:57, Olly Lennox пишет:
>> Hi There,
>>
>> I've been battling for the last few days on a little project to setup a Raspberry PI device as a small parental blocking server. I've managed to configure the device to work as a transparent proxy using squid which is assigned as the default gateway via DHCP and after a lot of messing about I've finally got to the point where it's routing traffic correctly, proxying and blocking unwanted websites over HTTP.
>>
>> The problem I have is that for the life of me I cannot get things to work over HTTPS. It's working over the older, insecure web browsers where anything goes but the more modern browsers will not accept the SSL certificates and fail with insecure messages. I've tried various ways of generating a cert and also generating a CA cert and signing my other cert with it to no avail. I've had a mixture of errors back from the browser from WEAK_ALGORITHM to BAD_AUTHORITY to INVALID_CERT.
>>
>> I've been using openssl to generate self-signed certificates and create a der file. Below is a recent attempt but I've tried lots of different approaches:
>>
>> ------------
>> openssl req -x509 -nodes -sha256 -days 3650 -newkey rsa:2048 -keyout squid.key -out squid.crt 
>> openssl req -new -x509 -key squid.key -out squid.pem 
>> openssl x509 -in squid.pem -inform pem -out squid.der -outform der
>> ------------
>>
>>
>> Then my config in Squid is like this, the dhparams file I generated as per instructions in the squid wiki:
> First of all: what's Squid's version?

And secondly; are you sufficiently capable with Debian to (cross-)build
your own Squid package that can run on Raspian?

The Debian squid/squid3 packages do not have TLS/SSL/HTTPS support. So
you will be building your own to get the bumping features.

Amos