[squid-users] Is there a way on client to show proxy's certificate?

Matus UHLAR - fantomas uhlar at fantomas.sk
Sun Dec 22 12:56:49 UTC 2019 

>> how is port 3129 defined in squid.conf?

On 21.12.19 13:34, GeorgeShen wrote:
>ssl_bump peek step1
>ssl_bump stare step2
>ssl_bump bump all
>http_port 3128
>http_port 3129 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
>generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>options=SINGLE_DH_USE:SINGLE_ECDH_USE
>tls-dh=prime256v1:/usr/local/squid/etc/dhparams.pem

this is http port, speaking http.  This is not a https port, so you can't
speak https to it.  The difference between 3128 and 3129 is, when you issue
CONNECT request to 3129, squid tries to communicate using SSL as if it was
the destination server (or, whatever you configure in ssl_bump options).

if you want to talk to squid on port 443, you must configure https_port.

>BTW, the https/TLS bump through this server works. when using the openssl
>s_client, get this result,
>(it says "no peer certificate available"):

this looks to me more like failure of setting up SSL protocol.
I really wonder something SSL related works  at all.

you should check with:

openssl s_client -proxy 192.168.1.35:3129 -connect <host:port> -showcerts

on both squid ports to see the difference.


>$ openssl s_client -connect 192.168.1.35:3129 -showcerts
>CONNECTED(00000003)
>4659451500:error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version
>number:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/ssl/ssl_pkt.c:386:
>---
>no peer certificate available
>---
>No client certificate CA names sent
>---
>SSL handshake has read 5 bytes and written 0 bytes
>---
>New, (NONE), Cipher is (NONE)
>Secure Renegotiation IS NOT supported
>Compression: NONE
>Expansion: NONE
>No ALPN negotiated
>SSL-Session:
>    Protocol  : TLSv1.2
>    Cipher    : 0000
>    Session-ID:
>    Session-ID-ctx:
>    Master-Key:
>    Start Time: 1576955529
>    Timeout   : 7200 (sec)
>    Verify return code: 0 (ok)
>---
>
>
>
>and if I run this openssl s_client on the proxy itself (should use the same
>version of openssl):
>
>$ openssl s_client -connect 127.0.0.1:3129 -showcerts
>CONNECTED(00000003)
>140248349009560:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
>protocol:s23_clnt.c:827:
>---
>no peer certificate available
>---
>No client certificate CA names sent
>---
>SSL handshake has read 7 bytes and written 311 bytes
>---
>New, (NONE), Cipher is (NONE)
>Secure Renegotiation IS NOT supported
>Compression: NONE
>Expansion: NONE
>No ALPN negotiated
>SSL-Session:
>    Protocol  : TLSv1.2
>    Cipher    : 0000
>    Session-ID:
>    Session-ID-ctx:
>    Master-Key:
>    Key-Arg   : None
>    PSK identity: None
>    PSK identity hint: None
>    SRP username: None
>    Start Time: 1576956256
>    Timeout   : 300 (sec)
>    Verify return code: 0 (ok)
>---
>
>
>
>
>
>
>--
>Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
>_______________________________________________
>squid-users mailing list
>squid-users at lists.squid-cache.org
>http://lists.squid-cache.org/listinfo/squid-users

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer

More information about the squid-users mailing list