[squid-users] Is there a way on client to show proxy's certificate?
GeorgeShen
g2011828 at hotmail.com
Tue Dec 24 02:57:03 UTC 2019
>That is saying the "ssl-bump" flag requires "intercept" on that port
>directive.
>
>SSL-Bump is intercepting the TLS layer. It makes no sense for a client
>to explicitly open TCP connections to Squid when trying to perform TLS
>with a different server elsewhere.
but my proxy's purpose is to do the 'SSL-BUMP', with my config:
ssl_bump peek step1
ssl_bump stare step2
ssl_bump bump all
acl SSL_ports port 443
acl CONNECT method CONNECT
http_port 3128
http_port 3129 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
options=SINGLE_DH_USE:SINGLE_ECDH_USE
tls-dh=prime256v1:/usr/local/squid/etc/dhparams.pem
the ssl-bump through this proxy seems to work. am i doing this incorrectly?
>
>> Or is there a way to listern to the https_port with explicit proxy?
>
>There is. Remove the ssl-bump stuff from that https_port line. Configure
>it with a regular server cert and key. What you have then is an
>"explicit TLS proxy" - a proxy clients need to use TLS to communicate with.
if I change the above configure to (still want to do ssl-bump operation):
http_port 3128
https_port 3129 cert=/usr/local/squid/etc/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
options=SINGLE_DH_USE:SINGLE_ECDH_USE
tls-dh=prime256v1:/usr/local/squid/etc/dhparams.pem
then the wget can not get through this proxy:
$ export https_proxy=192.168.1.35:3129
wget https://www.cnn.com
--2019-12-23 14:34:22-- https://www.cnn.com/
Connecting to 192.168.1.35:3129... connected.
Failed reading proxy response: Connection reset by peer
Retrying.
did I configure it wrong?
thanks.
- George
--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
More information about the squid-users
mailing list