[squid-users] Squid with SSL-Bump on Debian testing: SSL_ERROR_RX_RECORD_TOO_LONG
C. L. Martinez
carlopmart at gmail.com
Fri Mar 3 21:29:29 UTC 2017
Hi all,
After installing Squid 3.5.24 in my Debian testing (many thanks Amos for your help), I am trying to configure Squid as https intercept proxy. My config actually is:
http_port 127.0.0.1:8080
http_port 127.0.0.1:8081 intercept
http_port 127.0.0.1:8082 ssl-bump cert=/opt/squid/etc/certs/myCA.pem generate-host-certificates=on \
dynamic_cert_mem_cache_size=4MB tls-dh=/opt/squid/etc/certs/dhparam.pem
https_port 127.0.0.1:8083 ssl-bump intercept cert=/opt/squid/etc/certs/myCA.pem generate-host-certificates=on \
dynamic_cert_mem_cache_size=4MB tls-dh=/opt/squid/etc/certs/dhparam.pem
sslcrtd_program /opt/squid/libexec/ssl_crtd -s /var/squid/ssldb -M 4MB
# SSL-Bump
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump splice localhost
acl exclude_sites ssl::server_name_regex -i "/usr/local/etc/squid/doms.nobump"
ssl_bump peek step1 all
ssl_bump splice exclude_sites
ssl_bump stare step2 all
ssl_bump bump all
Content of "/usr/local/etc/squid/doms.nobump" is:
update\.microsoft\.com$
update\.microsoft\.com\.akadns\.net$
But every time I have receiving Error code: SSL_ERROR_RX_RECORD_TOO_LONG in Firefox's browsers when I visit any web using https like https://www.debian.org, https://www.redhat.com, etc.. Some time ago, I have setup same config under OpenBSD and all works ok.
Where am I doing the mistake?
--
Greetings,
C. L. Martinez
More information about the squid-users
mailing list