[squid-users] Is there a way on client to show proxy's certificate?
squid3 at treenet.co.nz
Mon Dec 23 09:37:45 UTC 2019
On 23/12/19 7:26 pm, GeorgeShen wrote:
>> this is http port, speaking http. This is not a https port, so you can't
>> speak https to it. The difference between 3128 and 3129 is, when you issue
>> CONNECT request to 3129, squid tries to communicate using SSL as if it was
>> the destination server (or, whatever you configure in ssl_bump options).
>> if you want to talk to squid on port 443, you must configure https_port.
> because I'm doing the explicit proxy for https on this proxy server. if I
> "https_port 3129 ssl-bump ...",
That is port 3129, not port 443.
> then I get this error when doing the https
> 2019/12/22 22:07:15| FATAL: ssl-bump on https_port requires tproxy/intercept
> which is missing.
> so this to me means, i can only configure https_port if I'm using the
> intercept method, which I'm not.
That is saying the "ssl-bump" flag requires "intercept" on that port
SSL-Bump is intercepting the TLS layer. It makes no sense for a client
to explicitly open TCP connections to Squid when trying to perform TLS
with a different server elsewhere.
> Or is there a way to listern to the https_port with explicit proxy?
There is. Remove the ssl-bump stuff from that https_port line. Configure
it with a regular server cert and key. What you have then is an
"explicit TLS proxy" - a proxy clients need to use TLS to communicate with.
>>> BTW, the https/TLS bump through this server works. when using the openssl
>>> s_client, get this result,
>>> (it says "no peer certificate available"):
>> this looks to me more like failure of setting up SSL protocol.
>> I really wonder something SSL related works at all.
>> you should check with:
>> openssl s_client -proxy 192.168.1.35:3129 -connect <host:port> -showcerts
>> on both squid ports to see the difference.
> The above command works for me, but I only get the certs from the real host,
> not the proxy server itself.
You seem(ed) to be in some confusion about what "the certs" actually
are. See my earlier response about that output.
More information about the squid-users