<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 10pt; font-family: Verdana,Geneva,sans-serif'>
<p>- OS version</p>
<p>Description: Ubuntu Jammy Jellyfish (development branch)<br />Release: 22.04<br />Codename: jammy</p>
<p>I couldn't use Ubuntu server 20.04 LTS focal fossa because the squid-OpenSSL package was unavailable for that release.</p>
<p>===</p>
<p>- Squid -v output</p>
<p>Squid Cache: Version 5.2 </p>
<p>This binary uses OpenSSL 3.0.1 14 Dec 2021. configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' 'BUILDCXXFLAGS=-g -O2 -ffile-prefix-map=/build/squid-V7aRc2/squid-5.2=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now ' 'BUILDCXX=g++' '--with-build-environment=default' '--enable-build-info=Ubuntu linux' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,SMB_LM' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group' '--enable-security-cert-validators=fake' '--enable-storeid-rewrite-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' '--with-systemd' '--with-openssl' '--enable-ssl-crtd' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/squid-V7aRc2/squid-5.2=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now ' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -ffile-prefix-map=/build/squid-V7aRc2/squid-5.2=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security'</p>
<p>===</p>
<p>- squid.conf</p>
<p># ACL<br />acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)<br />acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)<br />acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)<br />acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines<br />acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)<br />acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)<br />acl localnet src fc00::/7 # RFC 4193 local private network range<br />acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines<br />acl SSL_ports port 443 # httpssl<br />acl Safe_ports port 80 # http<br />acl Safe_ports port 21 # ftp<br />acl Safe_ports port 443 # https<br />acl Safe_ports port 70 # gopher<br />acl Safe_ports port 210 # wais<br />acl Safe_ports port 1025-65535 # unregistered ports<br />acl Safe_ports port 280 # http-mgmt<br />acl Safe_ports port 488 # gss-http<br />acl Safe_ports port 591 # filemaker<br />acl Safe_ports port 777 # multiling http<br />acl CONNECT method CONNECT<br />acl intermediate_fetching transaction_initiator certificate-fetching </p>
<p>#Other configuration files<br />include /etc/squid/conf.d/*</p>
<p>#Access rules<br />http_access allow intermediate_fetching<br />http_access deny !Safe_ports<br />http_access deny CONNECT !SSL_ports<br />http_access allow localhost manager<br />http_access deny manager<br />http_access allow localnet<br />http_access allow localhost<br />http_access deny all</p>
<p># HTTPS interception direct proxy<br />http_port 3128 tcpkeepalive=60,30,3 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB tls-cert=/var/lib/squid/ssl_cert/squid-self-signed.crt tls-key=/var/lib/squid/ssl_cert/squid-self-signed.key cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS:!TLS13-AES-256-GCM-SHA384 options=NO_TLSv1,NO_SSLv3 tls-dh=prime256v1:/var/lib/squid/ssl_cert/squid-self-signed_dhparam.pem<br />sslcrtd_program /lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 20MB<br />sslcrtd_children 5<br />acl step1 at_step SslBump1<br />ssl_bump bump all<br />sslproxy_cert_error deny all</p>
<p># Cache<br />cache_mem 512 MB<br />maximum_object_size 240 MB<br />cache_dir aufs /var/spool/squid/ 4096 16 256<br />coredump_dir /var/spool/squid<br />refresh_pattern ^ftp: 1440 20% 10080<br />refresh_pattern ^gopher: 1440 0% 1440<br />refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />refresh_pattern . 0 20% 4320</p>
<p># More privacy<br />via off<br />forwarded_for off</p>
<p id="reply-intro">Il 2022-02-14 10:00 Eliezer Croitoru ha scritto:</p>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">
<div id="replybody1">
<style type="text/css">@font-face
{ font-family: "Cambria Math"; }
@font-face
{ font-family: Calibri; }
@font-face
{ font-family: Verdana; }
#replybody1 p.v1MsoNormal, #replybody1 li.v1MsoNormal, #replybody1 div.v1MsoNormal
{ margin: 0in; font-size: 11.0pt; font-family: "Calibri",sans-serif; }
#replybody1 span.v1EmailStyle19
{ mso-style-type: personal-reply; font-family: "Calibri",sans-serif; color: windowtext; }
#replybody1 .v1MsoChpDefault
{ mso-style-type: export-only; font-size: 10.0pt; }
@page WordSection1
{ size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
#replybody1 div.v1WordSection1
{ }</style>
<div lang="EN-US" style="word-wrap: break-word;">
<div class="v1WordSection1">
<p class="v1MsoNormal">Can you share the squid.conf so I can try to reproduce the issue here locally and verify how it could be resolved?</p>
<p class="v1MsoNormal">What OS and other relevant details such as "squid -v" output might help.</p>
<p class="v1MsoNormal"> </p>
<p class="v1MsoNormal">Thanks,</p>
<p class="v1MsoNormal">Eliezer</p>
<p class="v1MsoNormal"> </p>
<div>
<p class="v1MsoNormal">----</p>
<p class="v1MsoNormal">Eliezer Croitoru</p>
<p class="v1MsoNormal">NgTech, Tech Support</p>
<p class="v1MsoNormal">Mobile: +972-5-28704261</p>
<p class="v1MsoNormal">Email: <a href="mailto:ngtech1ltd@gmail.com" rel="noreferrer"><span style="color: blue;">ngtech1ltd@gmail.com</span></a></p>
</div>
<p class="v1MsoNormal"> </p>
<div>
<div style="border: none; border-top: solid #E1E1E1 1.0pt; padding: 3.0pt 0in 0in 0in;">
<p class="v1MsoNormal"><strong>From:</strong> squid-users <squid-users-bounces@lists.squid-cache.org> <strong>On Behalf Of </strong>ns@fabbricapolitica.com<br /><strong>Sent:</strong> Monday, February 14, 2022 11:16<br /><strong>To:</strong> squid-users@lists.squid-cache.org<br /><strong>Subject:</strong> [squid-users] https interception problem with Squid 5</p>
</div>
</div>
<p class="v1MsoNormal"> </p>
<p><span style="font-size: 10.0pt; font-family: 'Verdana',sans-serif;">Good morning,</span></p>
<p><span style="font-size: 10.0pt; font-family: 'Verdana',sans-serif;">I have been using Squid as an http caching proxy for a long time.</span></p>
<p><span style="font-size: 10.0pt; font-family: 'Verdana',sans-serif;">It's the second time I configured Squid for https caching and interception/inspection.</span></p>
<p><span style="font-size: 10.0pt; font-family: 'Verdana',sans-serif;">The first time everything was fine</span></p>
<p><span style="font-size: 10.0pt; font-family: 'Verdana',sans-serif;">The second...not so much.</span></p>
<p><span style="font-size: 10.0pt; font-family: 'Verdana',sans-serif;">I use the ssl_bump feature.</span></p>
<p><span style="font-size: 10.0pt; font-family: 'Verdana',sans-serif;">With Squid 4.13 and Openssl v 1.1.1k-1 all works well without errors or warnings.</span></p>
<p><span style="font-size: 10.0pt; font-family: 'Verdana',sans-serif;">With Squid v. 5.2.1 and Openssl v. 3.0.1, I got one error and one warning.</span></p>
<p><span style="font-size: 10.0pt; font-family: 'Verdana',sans-serif;">I tried to use the same squid.conf for Squid 4 and Squid 5.</span></p>
<p><span style="font-size: 10.0pt; font-family: 'Verdana',sans-serif;">Here are the problems with Squid 5.</span></p>
<p><span style="font-size: 10.0pt; font-family: 'Verdana',sans-serif;">1) ERROR</span></p>
<p><span style="font-size: 10.0pt; font-family: 'Verdana',sans-serif;">I checked the configuration with the command "squid -k parse" and I got this error: ERROR: Unable to configure Ephemeral ECDH: error:0480006C:PEM routines::no start line</span></p>
<p><span style="font-size: 10.0pt; font-family: 'Verdana',sans-serif;">If I remove the curve name from tls-dh in the config file, the error disappears.</span></p>
<p><span style="font-size: 10.0pt; font-family: 'Verdana',sans-serif;">First question: Which is the problem? How can I do to keep the curve name (prime256v1)</span></p>
<p><span style="font-size: 10.0pt; font-family: 'Verdana',sans-serif;">2) WARNING</span></p>
<p><span style="font-size: 10.0pt; font-family: 'Verdana',sans-serif;">I checked the configuration with the command "squid -k parse" and I got this warning: WARNING: Failed to decode DH parameters '/var/lib/squid/ssl_cert/squid-self-signed_dhparam.pem'</span></p>
<p><span style="font-size: 10.0pt; font-family: 'Verdana',sans-serif;">I generated the file for the Diffie-Hellman algorithm with this command (it worked with Squid4): openssl dhparam -outform PEM -out squid-self-signed_dhparam.pem 2048</span></p>
<p><span style="font-size: 10.0pt; font-family: 'Verdana',sans-serif;">Second question: Have you an idea on how to fix this?</span></p>
<p><span style="font-size: 10.0pt; font-family: 'Verdana',sans-serif;">Thank you.</span></p>
</div>
</div>
</div>
</blockquote>
<p><br /></p>
</body></html>