[squid-users] Is there a way on client to show proxy's certificate?

GeorgeShen g2011828 at hotmail.com
Sat Dec 21 19:34:42 UTC 2019 

> how is port 3129 defined in squid.conf? 

ssl_bump peek step1
ssl_bump stare step2
ssl_bump bump all
http_port 3128
http_port 3129 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
options=SINGLE_DH_USE:SINGLE_ECDH_USE
tls-dh=prime256v1:/usr/local/squid/etc/dhparams.pem

BTW, the https/TLS bump through this server works. when using the openssl
s_client, get this result,
(it says "no peer certificate available"):

$ openssl s_client -connect 192.168.1.35:3129 -showcerts
CONNECTED(00000003)
4659451500:error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version
number:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/ssl/ssl_pkt.c:386:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Start Time: 1576955529
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---



and if I run this openssl s_client on the proxy itself (should use the same
version of openssl):

$ openssl s_client -connect 127.0.0.1:3129 -showcerts
CONNECTED(00000003)
140248349009560:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:827:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 311 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1576956256
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---






--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html

More information about the squid-users mailing list