<html><head></head><body><div style="color:#000; background-color:#fff; font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:13px"><div id="yui_3_16_0_ym19_1_1492518293756_49171" dir="ltr"><span id="yui_3_16_0_ym19_1_1492518293756_49209">So anyone who wants to use Squid over HTTPS in the way has to build this repository themselves by manually downloading all the CA bundles?</span></div><div></div><div id="yui_3_16_0_ym19_1_1492518293756_49172"> </div><div id="yui_3_16_0_ym19_1_1492518293756_49172"><br></div><div class="qtdSeparateBR"><br><br></div><div class="yahoo_quoted" id="yui_3_16_0_ym19_1_1492518293756_49251" style="display: block;"> <div style="font-family: Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 13px;" id="yui_3_16_0_ym19_1_1492518293756_49250"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif; font-size: 16px;" id="yui_3_16_0_ym19_1_1492518293756_49249"> <div dir="ltr" id="yui_3_16_0_ym19_1_1492518293756_49259"> <font size="2" face="Arial" id="yui_3_16_0_ym19_1_1492518293756_49258"> <hr size="1" id="yui_3_16_0_ym19_1_1492518293756_49260"> <b><span style="font-weight:bold;">From:</span></b> Yuri <yvoinov@gmail.com><br> <b><span style="font-weight: bold;">To:</span></b> Olly Lennox <oliver@lennox-it.uk>; "squid-users@lists.squid-cache.org" <squid-users@lists.squid-cache.org> <br> <b><span style="font-weight: bold;">Sent:</span></b> Tuesday, 18 April 2017, 14:03<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [squid-users] HTTPS woes<br> </font> </div> <div class="y_msg_container" id="yui_3_16_0_ym19_1_1492518293756_49248"><br><div id="yiv7898254183"><div id="yui_3_16_0_ym19_1_1492518293756_49247">
<div id="yui_3_16_0_ym19_1_1492518293756_49257"><br clear="none">
</div>
<br clear="none">
<div class="yiv7898254183moz-cite-prefix" id="yui_3_16_0_ym19_1_1492518293756_49256">18.04.2017 18:56, Olly Lennox пишет:<br clear="none">
</div>
<blockquote type="cite" id="yui_3_16_0_ym19_1_1492518293756_49253">
<div style="color:#000;background-color:#fff;font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:13px;" id="yui_3_16_0_ym19_1_1492518293756_49252">
<div dir="ltr" id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14933"><span>I'm
using </span></div>
<div dir="ltr" id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14933"><br clear="none">
</div>
<div dir="ltr" id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14933">sslproxy_foreign_intermediate_certs</div>
<div dir="ltr" id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14933"><br clear="none">
</div>
<div dir="ltr" id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14933">Is
this the same thing? <br clear="none">
</div>
</div>
</blockquote>
No. You firstly required CA roots available for squid. CA roots and
intermediate is the different things.<br clear="none">
<blockquote type="cite" id="yui_3_16_0_ym19_1_1492518293756_49255">
<div style="color:#000;background-color:#fff;font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:13px;" id="yui_3_16_0_ym19_1_1492518293756_49254">
<div dir="ltr" id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14933"><br clear="none">
</div>
<div dir="ltr" id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14933">Also
is there anywhere to get a bundle of all the major CA
intermdiate certs or do you have to download them all
manually?</div>
</div>
</blockquote>
No. You should build it by yourself.<div class="yiv7898254183yqt6360993177" id="yiv7898254183yqtfd66056"><br clear="none">
<blockquote type="cite" id="yui_3_16_0_ym19_1_1492518293756_49262">
<div style="color:#000;background-color:#fff;font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:13px;" id="yui_3_16_0_ym19_1_1492518293756_49261">
<div dir="ltr" id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14933"><br clear="none">
</div>
<div dir="ltr" id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14933">Cheers,</div>
<div id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14934"> </div>
<div class="yiv7898254183signature" id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14906"><a rel="nofollow" shape="rect" class="yiv7898254183moz-txt-link-abbreviated" ymailto="mailto:oliver@lennox-it.uk" target="_blank" href="mailto:oliver@lennox-it.uk" id="yui_3_16_0_ym19_1_1492518293756_49263">oliver@lennox-it.uk</a><br clear="none">
<a rel="nofollow" shape="rect" target="_blank" href="http://lennox-it.uk/">lennox-it.uk</a><br clear="none">
tel: 07900 648 252</div>
<div class="yiv7898254183qtdSeparateBR" id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14935"><br clear="none">
<br clear="none">
</div>
<div class="yiv7898254183yahoo_quoted" id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14881" style="display:block;">
<div id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14880" style="font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:13px;">
<div id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14879" style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif;font-size:16px;">
<div dir="ltr" id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14905">
<font id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14904" face="Arial" size="2">
</font><hr id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14936" size="1"> <b><span style="font-weight:bold;">From:</span></b>
Yuri <a rel="nofollow" shape="rect" class="yiv7898254183moz-txt-link-rfc2396E" ymailto="mailto:yvoinov@gmail.com" target="_blank" href="mailto:yvoinov@gmail.com" id="yui_3_16_0_ym19_1_1492518293756_49264"><yvoinov@gmail.com></a><br clear="none">
<b><span style="font-weight:bold;">To:</span></b>
<a rel="nofollow" shape="rect" class="yiv7898254183moz-txt-link-abbreviated" ymailto="mailto:squid-users@lists.squid-cache.org" target="_blank" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a> <br clear="none">
<b><span style="font-weight:bold;">Sent:</span></b>
Tuesday, 18 April 2017, 13:51<br clear="none">
<b><span style="font-weight:bold;">Subject:</span></b>
Re: [squid-users] HTTPS woes<br clear="none">
</div>
<div class="yiv7898254183y_msg_container" id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14878"><br clear="none">
<div dir="ltr" id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14877">Try to
specify roots CA bundle/dir explicity by specifying
one of this <br clear="none">
params:<br clear="none">
<br clear="none">
<br clear="none">
# TAG: sslproxy_cafile<br clear="none">
# file containing CA certificates to use when
verifying server<br clear="none">
# certificates while proxying <a rel="nofollow" shape="rect" class="yiv7898254183moz-txt-link-freetext" href="">https://</a> URLs<br clear="none">
#Default:<br clear="none">
# none<br clear="none">
<br clear="none">
# TAG: sslproxy_capath<br clear="none">
# directory containing CA certificates to use when
verifying<br clear="none">
# server certificates while proxying <a rel="nofollow" shape="rect" class="yiv7898254183moz-txt-link-freetext" href="">https://</a> URLs<br clear="none">
#Default:<br clear="none">
# none<br clear="none">
<br clear="none">
<br clear="none">
<br clear="none">
18.04.2017 18:46, Olly Lennox пишет:<br clear="none">
> Hi All,<br clear="none">
><br clear="none">
> Still having problems here. This is my https
config now:<br clear="none">
><br clear="none">
><br clear="none">
> ---------------------------------https_port 3129
intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB
cert=/etc/squid3/ssl_cert/squid.crt
key=/etc/squid3/ssl_cert/squid.key options=NO_SSLv3
dhparams=/etc/squid3/ssl_cert/dhparam.pem<br clear="none">
><br clear="none">
> acl step1 at_step SslBump1<br clear="none">
> ssl_bump peek step1<br clear="none">
> ssl_bump bump all<br clear="none">
> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE<br clear="none">
> sslproxy_cipher
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS<br clear="none">
><br clear="none">
> sslcrtd_program /usr/lib/squid3/ssl_crtd -s
/var/lib/ssl_db -M 4MB<br clear="none">
> sslcrtd_children 8 startup=1 idle=1<br clear="none">
><br clear="none">
> ---------------------------------<br clear="none">
><br clear="none">
><br clear="none">
> I'm running version 3.5.23 with openssl 1.0. I've
had to disable libecap because I couldn't build 3.5
with ecap enabled. I'm getting the following error
when trying to connect with SSL:<br clear="none">
><br clear="none">
> ---------------------------------<br clear="none">
><br clear="none">
> The following error was encountered while trying
to retrieve the URL: <a rel="nofollow" shape="rect" target="_blank" href="https://www.google.co.uk/*">https://www.google.co.uk/*</a><br clear="none">
><br clear="none">
> Failed to establish a secure connection to
216.58.198.67<br clear="none">
><br clear="none">
> The system returned:<br clear="none">
><br clear="none">
> (71) Protocol error (TLS code:
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)<br clear="none">
> SSL Certficate error: certificate issuer (CA) not
known: /C=US/O=Equifax/OU=Equifax Secure Certificate
Authority<br clear="none">
><br clear="none">
> This proxy and the remote host failed to
negotiate a mutually acceptable security settings for
handling your request. It is possible that the remote
host does not support secure connections, or the proxy
is not satisfied with the host security credentials.<br clear="none">
><br clear="none">
> Your cache administrator is webmaster.<br clear="none">
><br clear="none">
> Generated Tue, 18 Apr 2017 12:23:40 GMT by
raspberrypi (squid/3.5.23)<br clear="none">
> ---------------------------------<br clear="none">
><br clear="none">
> The CA is always listed as not known not matter
what site I try I always get this error.<br clear="none">
><br clear="none">
> Any ideas?<br clear="none">
><br clear="none">
> Thanks,<br clear="none">
><br clear="none">
> Olly<br clear="none">
><br clear="none">
> ________________________________<br clear="none">
> From: Olly Lennox <<a rel="nofollow" shape="rect" ymailto="mailto:oliver@lennox-it.uk" target="_blank" href="mailto:oliver@lennox-it.uk">oliver@lennox-it.uk</a>><br clear="none">
> To: Amos Jeffries <<a rel="nofollow" shape="rect" ymailto="mailto:squid3@treenet.co.nz" target="_blank" href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>>;
"<a rel="nofollow" shape="rect" ymailto="mailto:squid-users@lists.squid-cache.org" target="_blank" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>"
<<a rel="nofollow" shape="rect" ymailto="mailto:squid-users@lists.squid-cache.org" target="_blank" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>><br clear="none">
> Sent: Sunday, 16 April 2017, 9:31<br clear="none">
> Subject: Re: [squid-users] HTTPS woes<br clear="none">
><br clear="none">
><br clear="none">
><br clear="none">
> Thanks Amos, it's finally built but I had to
disabled ecap, for whatever reason this kept failing
(with version 1.0.1 installed). It failed on a
reference to the Area function I think but I don't
have the error message copied. I'm trying now to
configure the ssl stare/peek and will let you know how
it goes.<br clear="none">
><br clear="none">
> Olly<br clear="none">
> <br clear="none">
> <a rel="nofollow" shape="rect" ymailto="mailto:oliver@lennox-it.uk" target="_blank" href="mailto:oliver@lennox-it.uk">oliver@lennox-it.uk</a><br clear="none">
> lennox-it.uk<br clear="none">
> tel: 07900 648 252<br clear="none">
><br clear="none">
><br clear="none">
><br clear="none">
> ________________________________<br clear="none">
> From: Amos Jeffries <<a rel="nofollow" shape="rect" ymailto="mailto:squid3@treenet.co.nz" target="_blank" href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>><br clear="none">
> To: <a rel="nofollow" shape="rect" ymailto="mailto:squid-users@lists.squid-cache.org" target="_blank" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br clear="none">
> Sent: Saturday, 15 April 2017, 23:07<br clear="none">
> Subject: Re: [squid-users] HTTPS woes<br clear="none">
><br clear="none">
><br clear="none">
><br clear="none">
> On 15/04/2017 9:59 a.m., Olly Lennox wrote:<br clear="none">
>> Hi Guys.<br clear="none">
>> I'm still struggling with this. I'm trying to
build a version of 3.5 but I just can't get it to
work. I'm currently attempting to rebuild the stretch
package with SSL enabled but build keeps failing with
the following:<br clear="none">
>> ../../src/ssl/gadgets.h:83:45: error:
âCRYPTO_LOCK_X509â was not declared in this scope
typedef LockingPointer<X509, X509_free_cpp,
CRYPTO_LOCK_X509> X509_Pointer;
^~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:83:61: error:
template argument 3 is invalid typedef
LockingPointer<X509, X509_free_cpp,
CRYPTO_LOCK_X509> X509_Pointer;
^../../src/ssl/gadgets.h:89:53: error:
âCRYPTO_LOCK_EVP_PKEYâ was not declared in this scope
typedef LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp,
CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;
^~~~~~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:89:73:
error: template argument 3 is invalid typedef
LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp,
CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;
^../../src/ssl/gadgets.h:116:43: error:
âCRYPTO_LOCK_SSLâ was not declared in this scope
typedef LockingPointer<SSL, SSL_free_cpp,
CRYPTO_LOCK_SSL> SSL_Pointer;
^~~~~~~~~~~~~~~../../src/ssl/gadgets.h:116:58: error:
template argument 3 is invalid typedef
LockingPointer<SSL, SSL_free_cpp,
CRYPTO_LOCK_SSL> SSL_Pointer;
^<br clear="none">
>> Any ideas?<br clear="none">
><br clear="none">
><br clear="none">
> On Jesse/stable:<br clear="none">
><br clear="none">
> apt-get build-dep squid3<br clear="none">
> apt-get install libss-dev<br clear="none">
><br clear="none">
><br clear="none">
> On stretch/testing/unstable:<br clear="none">
><br clear="none">
> apt-get build-dep squid<br clear="none">
> apt-get install libss1.0-dev<br clear="none">
><br clear="none">
><br clear="none">
> That should do it for you.<br clear="none">
><br clear="none">
> Amos<br clear="none">
><br clear="none">
><br clear="none">
> _______________________________________________<br clear="none">
> squid-users mailing list<br clear="none">
> <a rel="nofollow" shape="rect" ymailto="mailto:squid-users@lists.squid-cache.org" target="_blank" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br clear="none">
> <a rel="nofollow" shape="rect" target="_blank" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><br clear="none">
><br clear="none">
><br clear="none">
><br clear="none">
> _______________________________________________<br clear="none">
> squid-users mailing list<br clear="none">
> <a rel="nofollow" shape="rect" ymailto="mailto:squid-users@lists.squid-cache.org" target="_blank" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br clear="none">
> <a rel="nofollow" shape="rect" target="_blank" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a>
<div class="yiv7898254183yqt8677547277" id="yiv7898254183yqtfd81681"><br clear="none">
> _______________________________________________<br clear="none">
> squid-users mailing list<br clear="none">
> <a rel="nofollow" shape="rect" ymailto="mailto:squid-users@lists.squid-cache.org" target="_blank" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br clear="none">
> <a rel="nofollow" shape="rect" target="_blank" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><br clear="none">
<br clear="none">
<br clear="none">
_______________________________________________<br clear="none">
squid-users mailing list<br clear="none">
<a rel="nofollow" shape="rect" ymailto="mailto:squid-users@lists.squid-cache.org" target="_blank" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br clear="none">
<a rel="nofollow" shape="rect" target="_blank" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><br clear="none">
</div>
</div>
<br clear="none">
<br clear="none">
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br clear="none">
</div></div></div><br><br></div> </div> </div> </div></div></body></html>