[squid-users] Problems with squid 3.1 to 3.3 upgrade

[Alex Rousskov]

On 8/8/19 3:29 PM, Tom Karches wrote:

> I am in the process of upgrading our Squid proxy server from 3.1 (on
> RHEL6) to 3.3 (on RHEL7).

It could have been worse! For example, you could ask a question about
upgrading Squid from v1.0 to v2.0... I will try to help, but I do not
remember much about v3.3 specifics.


> The system was configured to log https transactions as such:

> 1565183014.309    230 127.0.0.1 TCP_MISS/200 62539 CONNECT
> entrepreneurship.ncsu.edu:443 - DIRECT/152.1.227.116 -

> which requires SSL Bumping

No, simply logging HTTP CONNECT requests does not require bumping SSL.


> I used curl to test the new proxy. When I attempt to proxy an external
> https connection, this is the result :

> $ curl --proxy http://127.0.0.1:3128 https://www.google.com
> curl: (56) Received HTTP code 503 from proxy after CONNECT

Your Squid told curl that something went wrong. If you look at the
actual response, you may know what went wrong. The same information may
be available in Squid access.log, but the error response may have more
details than a log record. Please share that info here if it does not
point you to a solution.


> http_port 3128 ssl-bump \
>    cert=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \
>    generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

> I now get the following error

>     squid[5796]: FATAL: No valid signing SSL certificate configured for
>     HTTP_port [::]:3128


Avoid opening the SslBump Pandora box until you have to. If all you need
is CONNECT logging, then you should be able to accomplish what you want
without SslBump pains.


> Where should I be looking for the problem?

In Squid response to curl. You can use curl tracing options or Wireshark
to see it. Squid access.log may have some clues as well.


Go Tuffy!

Alex.