<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
A colleague provided this squid.conf and now https working fine with curl as well!<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span>visible_hostname localhost<br>
</span>
<div><br>
</div>
<div># Handling HTTP requests<br>
</div>
<div>http_port 3128<br>
</div>
<div>http_port 3129 intercept<br>
</div>
<div><br>
</div>
<div>acl allowed_http_sites dstdomain .microsoft.com<br>
</div>
<div>acl allowed_http_sites dstdomain .google.com<br>
</div>
<div>acl allowed_http_sites dstdomain .redhat.com<br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>http_access allow allowed_http_sites<br>
</div>
<div><br>
</div>
<div># Handling HTTPS requests<br>
</div>
<div>acl SSL_port port 443<br>
</div>
<div>http_access allow SSL_port<br>
</div>
<div><br>
</div>
<div>acl allowed_https_sites ssl::server_name .microsoft.com<br>
</div>
<div>acl allowed_https_sites ssl::server_name .google.com<br>
</div>
<div>acl allowed_https_sites ssl::server_name .redhat.com<br>
</div>
<div><br>
</div>
<div>https_port 3130 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key<br>
</div>
<div><br>
</div>
<div>acl step1 at_step SslBump1<br>
</div>
<div>acl step2 at_step SslBump2<br>
</div>
<div>acl step3 at_step SslBump3<br>
</div>
<div><br>
</div>
<div>ssl_bump peek step1 all<br>
</div>
<div>ssl_bump peek step2 allowed_https_sites<br>
</div>
<div>ssl_bump splice step3 allowed_https_sites<br>
</div>
<div>ssl_bump terminate<br>
</div>
<div><br>
</div>
<span>http_access deny all</span><br>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> squid-users <squid-users-bounces@lists.squid-cache.org> on behalf of Alex Rousskov <rousskov@measurement-factory.com><br>
<b>Sent:</b> Wednesday, November 20, 2019 17:43<br>
<b>To:</b> squid-users@lists.squid-cache.org <squid-users@lists.squid-cache.org><br>
<b>Subject:</b> Re: [squid-users] squid 4.1 transparent https issue "curl: (60) SSL certificate problem: self signed certificate in certificate chain"</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">On 11/20/19 3:31 AM, Berger J Nicklas wrote:<br>
<br>
> squid 4.1<br>
<br>
Start by upgrading to the latest Squid v4 available.<br>
<br>
<br>
> curl: (60) SSL certificate problem: self signed certificate in<br>
> certificate chain<br>
<br>
What was Squid trying to tell curl? Was Squid sending an error response?<br>
Tell curl to run --insecure to find out what happened.<br>
<br>
<br>
> security_file_certgen helper database '/var/spool/squid/ssl_db' failed:<br>
> Failed to open file /var/spool/squid/ssl_db/index.txt<br>
<br>
You should fix this. Perhaps you did not initialize the database (see<br>
"man security_file_certgen")? Or perhaps the permissions are wrong<br>
(checks them using something like "ls -Rla /var/spool/squid/ssl_db")?<br>
<br>
> acl allowed_http_sites dstdomain .microsoft.com<br>
> acl allowed_http_sites dstdomain .google.com<br>
> acl allowed_http_sites dstdomain .redhat.com<br>
<br>
> http_access allow allowed_http_sites Safe_ports<br>
<br>
This allows CONNECT to port 80, which is probably not what you want. See<br>
squid.conf.default for the recommended layout of https_access rules.<br>
<br>
<br>
> #SSL Settings<br>
> acl allowed_https_sites dstdomain .microsoft.com<br>
<br>
Do not add one site twice.<br>
<br>
<br>
> http_access allow CONNECT allowed_https_sites<br>
<br>
This allows CONNECT to any port of the allowed_https_sites. See<br>
squid.conf.default for the recommended layout of https_access rules.<br>
<br>
<br>
> options=SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=/etc/squid/dhparam.pem<br>
<br>
A copy-paste typo? There is no "options=..." directive.<br>
<br>
<br>
> http_access deny all<br>
> http_access deny !Safe_ports<br>
> http_access deny CONNECT !SSL_ports<br>
<br>
The last two lines are unreachable. You probably want to review how<br>
http_access (and most other) ACL-driven directives work, including the<br>
"first match ends the search" rule.<br>
<br>
> ssl_bump peek step1 all<br>
> ssl_bump peek step2 allowed_https_sites<br>
> ssl_bump splice step2 allowed_https_sites<br>
> ssl_bump splice step3 allowed_https_sites<br>
> ssl_bump terminate step2 all<br>
> ssl_bump bump all<br>
<br>
To learn how ssl_bump rules work, please see<br>
<a href="https://wiki.squid-cache.org/Features/SslPeekAndSplice">https://wiki.squid-cache.org/Features/SslPeekAndSplice</a><br>
<br>
AFAICT, the above rules are equivalent to:<br>
<br>
ssl_bump peek step1<br>
ssl_bump peek step2 allowed_https_sites<br>
ssl_bump terminate step2<br>
ssl_bump splice all<br>
<br>
or, roughly speaking, "splice allowed_https_sites (after peeking at<br>
their server) and terminate everything else (ASAP)"<br>
<br>
... which is rather different from what the original rules may have<br>
tried to accomplish (whatever that was).<br>
<br>
<br>
HTH,<br>
<br>
Alex.<br>
_______________________________________________<br>
squid-users mailing list<br>
squid-users@lists.squid-cache.org<br>
<a href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</div>
</span></font></div>
</body>
</html>