[squid-users] HTTPS woes

Yuri yvoinov at gmail.com
Tue Apr 18 13:03:19 UTC 2017



18.04.2017 18:56, Olly Lennox пишет:
> I'm using
>
> sslproxy_foreign_intermediate_certs
>
> Is this the same thing?
No. You firstly required CA roots available for squid. CA roots and 
intermediate is the different things.
>
> Also is there anywhere to get a bundle of all the major CA intermdiate 
> certs or do you have to download them all manually?
No. You should build it by yourself.
>
> Cheers,
> oliver at lennox-it.uk
> lennox-it.uk <http://lennox-it.uk/>
> tel: 07900 648 252
>
>
> ------------------------------------------------------------------------
> *From:* Yuri <yvoinov at gmail.com>
> *To:* squid-users at lists.squid-cache.org
> *Sent:* Tuesday, 18 April 2017, 13:51
> *Subject:* Re: [squid-users] HTTPS woes
>
> Try to specify roots CA bundle/dir explicity by specifying one of this
> params:
>
>
> #  TAG: sslproxy_cafile
> #    file containing CA certificates to use when verifying server
> #    certificates while proxying https:// URLs
> #Default:
> # none
>
> #  TAG: sslproxy_capath
> #    directory containing CA certificates to use when verifying
> #    server certificates while proxying https:// URLs
> #Default:
> # none
>
>
>
> 18.04.2017 18:46, Olly Lennox пишет:
> > Hi All,
> >
> > Still having problems here. This is my https config now:
> >
> >
> > ---------------------------------https_port 3129 intercept ssl-bump 
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB 
> cert=/etc/squid3/ssl_cert/squid.crt key=/etc/squid3/ssl_cert/squid.key 
> options=NO_SSLv3 dhparams=/etc/squid3/ssl_cert/dhparam.pem
> >
> > acl step1 at_step SslBump1
> > ssl_bump peek step1
> > ssl_bump bump all
> > sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
> > sslproxy_cipher 
> EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
> >
> > sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
> > sslcrtd_children 8 startup=1 idle=1
> >
> > ---------------------------------
> >
> >
> > I'm running version 3.5.23 with openssl 1.0. I've had to disable 
> libecap because I couldn't build 3.5 with ecap enabled. I'm getting 
> the following error when trying to connect with SSL:
> >
> > ---------------------------------
> >
> > The following error was encountered while trying to retrieve the 
> URL: https://www.google.co.uk/*
> >
> > Failed to establish a secure connection to 216.58.198.67
> >
> > The system returned:
> >
> > (71) Protocol error (TLS code: 
> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
> > SSL Certficate error: certificate issuer (CA) not known: 
> /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
> >
> > This proxy and the remote host failed to negotiate a mutually 
> acceptable security settings for handling your request. It is possible 
> that the remote host does not support secure connections, or the proxy 
> is not satisfied with the host security credentials.
> >
> > Your cache administrator is webmaster.
> >
> > Generated Tue, 18 Apr 2017 12:23:40 GMT by raspberrypi (squid/3.5.23)
> > ---------------------------------
> >
> > The CA is always listed as not known not matter what site I try I 
> always get this error.
> >
> > Any ideas?
> >
> > Thanks,
> >
> > Olly
> >
> > ________________________________
> > From: Olly Lennox <oliver at lennox-it.uk <mailto:oliver at lennox-it.uk>>
> > To: Amos Jeffries <squid3 at treenet.co.nz 
> <mailto:squid3 at treenet.co.nz>>; "squid-users at lists.squid-cache.org 
> <mailto:squid-users at lists.squid-cache.org>" 
> <squid-users at lists.squid-cache.org 
> <mailto:squid-users at lists.squid-cache.org>>
> > Sent: Sunday, 16 April 2017, 9:31
> > Subject: Re: [squid-users] HTTPS woes
> >
> >
> >
> > Thanks Amos, it's finally built but I had to disabled ecap, for 
> whatever reason this kept failing (with version 1.0.1 installed). It 
> failed on a reference to the Area function I think but I don't have 
> the error message copied. I'm trying now to configure the ssl 
> stare/peek and will let you know how it goes.
> >
> > Olly
> >
> > oliver at lennox-it.uk <mailto:oliver at lennox-it.uk>
> > lennox-it.uk
> > tel: 07900 648 252
> >
> >
> >
> > ________________________________
> > From: Amos Jeffries <squid3 at treenet.co.nz <mailto:squid3 at treenet.co.nz>>
> > To: squid-users at lists.squid-cache.org 
> <mailto:squid-users at lists.squid-cache.org>
> > Sent: Saturday, 15 April 2017, 23:07
> > Subject: Re: [squid-users] HTTPS woes
> >
> >
> >
> > On 15/04/2017 9:59 a.m., Olly Lennox wrote:
> >> Hi Guys.
> >> I'm still struggling with this. I'm trying to build a version of 
> 3.5 but I just can't get it to work. I'm currently attempting to 
> rebuild the stretch package with SSL enabled but build keeps failing 
> with the following:
> >> ../../src/ssl/gadgets.h:83:45: error: âCRYPTO_LOCK_X509â was not 
> declared in this scope typedef LockingPointer<X509, X509_free_cpp, 
> CRYPTO_LOCK_X509> X509_Pointer; 
> ^~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:83:61: error: template 
> argument 3 is invalid typedef LockingPointer<X509, X509_free_cpp, 
> CRYPTO_LOCK_X509> X509_Pointer; ^../../src/ssl/gadgets.h:89:53: error: 
> âCRYPTO_LOCK_EVP_PKEYâ was not declared in this scope typedef 
> LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, CRYPTO_LOCK_EVP_PKEY> 
> EVP_PKEY_Pointer; ^~~~~~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:89:73: 
> error: template argument 3 is invalid typedef LockingPointer<EVP_PKEY, 
> EVP_PKEY_free_cpp, CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;       
> ^../../src/ssl/gadgets.h:116:43: error: âCRYPTO_LOCK_SSLâ was not 
> declared in this scope typedef LockingPointer<SSL, SSL_free_cpp, 
> CRYPTO_LOCK_SSL> SSL_Pointer; 
> ^~~~~~~~~~~~~~~../../src/ssl/gadgets.h:116:58: error: template 
> argument 3 is invalid typedef LockingPointer<SSL, SSL_free_cpp, 
> CRYPTO_LOCK_SSL> SSL_Pointer;                                     ^
> >> Any ideas?
> >
> >
> > On Jesse/stable:
> >
> > apt-get build-dep squid3
> > apt-get install libss-dev
> >
> >
> > On stretch/testing/unstable:
> >
> > apt-get build-dep squid
> > apt-get install libss1.0-dev
> >
> >
> > That should do it for you.
> >
> > Amos
> >
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org 
> <mailto:squid-users at lists.squid-cache.org>
> > http://lists.squid-cache.org/listinfo/squid-users
> >
> >
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org 
> <mailto:squid-users at lists.squid-cache.org>
> > http://lists.squid-cache.org/listinfo/squid-users
>
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org 
> <mailto:squid-users at lists.squid-cache.org>
> > http://lists.squid-cache.org/listinfo/squid-users
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org 
> <mailto:squid-users at lists.squid-cache.org>
> http://lists.squid-cache.org/listinfo/squid-users
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170418/6759453c/attachment-0001.html>


More information about the squid-users mailing list