[squid-users] Problems with squid 3.1 to 3.3 upgrade

Tom Karches twk at ncsu.edu
Thu Aug 8 19:29:36 UTC 2019

I am in the process of upgrading our Squid proxy server from 3.1 (on RHEL6)
to 3.3 (on RHEL7). It is configured as a explicit (not transparent) proxy
that listens on port 3128. Clients are explicitly configured to use the

On the 3.3 system with the same squid.conf as the 3.1 system (I have made
changes to fix warnings), the system is able to proxy internal (*.ncsu.edu)
http traffic and https traffic. Anything https outside the ncsu.edu domain

The system (which does not use caching) was configured to log https
transactions as such :

1565183014.309    230 TCP_MISS/200 62539 CONNECT
entrepreneurship.ncsu.edu:443 - DIRECT/ -

which requires SSL Bumping (I believe), though there is no reference in the
current configs to the use of SSL bumping .

I used curl to test the new proxy. When I attempt to proxy an external
https connection, this is the result :

$ curl --proxy https://www.google.com
curl: (56) Received HTTP code 503 from proxy after CONNECT

Proxying internal (ncsu.edu) connections this way is working correctly for
http and https

When I change my squid.conf from :

http_port 3128


http_port 3128 ssl-bump \
   cert=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \
   generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

I now get the following error

squid[5796]: FATAL: No valid signing SSL certificate configured for
> HTTP_port [::]:3128

The certs on the new server are newer, but otherwise appear to be correct.

Are there changes in the SSL bump config between 3.1 and 3.3 that would
cause this kind of failure? Where should I be looking for the problem?

No previous experience with squid until this project. I've been doing much
RTM (including the O'Reilly Squid book) searching online and debugging
these past few days. Suggestions appreciated.


Thomas Karches
NCSU OIT CSI - Systems Specialist
M.E Student - STEM Education
Hillsborough 319 / 919.515.5508
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190808/874d8603/attachment.html>

More information about the squid-users mailing list