[squid-users] Is there a way on client to show proxy's certificate?

Amos Jeffries squid3 at treenet.co.nz
Mon Dec 23 09:37:45 UTC 2019 

On 23/12/19 7:26 pm, GeorgeShen wrote:
>> this is http port, speaking http.  This is not a https port, so you can't
>> speak https to it.  The difference between 3128 and 3129 is, when you issue
>> CONNECT request to 3129, squid tries to communicate using SSL as if it was
>> the destination server (or, whatever you configure in ssl_bump options).
> 
>> if you want to talk to squid on port 443, you must configure https_port.
> 
> because I'm doing the explicit proxy for https on this proxy server. if I
> configure
> "https_port 3129 ssl-bump ...",

That is port 3129, not port 443.


> then I get this error when doing the https
> proxy:
> 
> 2019/12/22 22:07:15| FATAL: ssl-bump on https_port requires tproxy/intercept
> which is missing.
> 
> so this to me means, i can only configure https_port if I'm using the
> intercept method, which I'm not.

That is saying the "ssl-bump" flag requires "intercept" on that port
directive.

SSL-Bump is intercepting the TLS layer. It makes no sense for a client
to explicitly open TCP connections to Squid when trying to perform TLS
with a different server elsewhere.


> Or is there a way to listern to the https_port with explicit proxy?

There is. Remove the ssl-bump stuff from that https_port line. Configure
it with a regular server cert and key. What you have then is an
"explicit TLS proxy" - a proxy clients need to use TLS to communicate with.


> 
>>> BTW, the https/TLS bump through this server works. when using the openssl
>>> s_client, get this result,
>>> (it says "no peer certificate available"):
> 
>> this looks to me more like failure of setting up SSL protocol.
>> I really wonder something SSL related works  at all.
>> you should check with:
>>
>> openssl s_client -proxy 192.168.1.35:3129 -connect <host:port> -showcerts
>>
>> on both squid ports to see the difference.
> 
> The above command works for me, but I only get the certs from the real host,
> not the proxy server itself.


You seem(ed) to be in some confusion about what "the certs" actually
are. See my earlier response about that output.

Amos

More information about the squid-users mailing list