<div dir="rtl"><div dir="ltr">By the help of God</div><div dir="ltr"><br></div><div dir="ltr">Update the squid.conf:</div><div dir="ltr">http_port <a href="http://0.0.0.0:3128">0.0.0.0:3128</a><br>http_port <a href="http://0.0.0.0:3129">0.0.0.0:3129</a> tproxy<br>http_port <a href="http://0.0.0.0:3130">0.0.0.0:3130</a> tproxy ssl-bump \<br> cert=/usr/local/squid/etc/ssl_cert/myCA.pem \<br> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB<br><br># For squid 4.x<br>sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB<br><br>acl step1 at_step SslBump1<br><br>ssl_bump peek step1<br>ssl_bump bump all<br></div><div dir="ltr"><br></div><div dir="ltr">Still the same issue.</div></div><br><div class="gmail_quote"><div dir="rtl" class="gmail_attr">בתאריך יום ה׳, 15 ביוני 2023 ב-14:31 מאת Ben Goz <<a href="mailto:ben.goz87@gmail.com">ben.goz87@gmail.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="rtl"><div dir="ltr">By the help of God.</div><div dir="ltr"><br></div><div dir="ltr">Hi,</div><div dir="ltr">I'm using squid with tproxy including https interception configuration.</div><div dir="ltr"><br></div><div dir="ltr">The squid version is:</div><div dir="ltr">$ /usr/local/squid/sbin/squid -v<br>Squid Cache: Version 7.0.0-VCS<br>Service Name: squid<br><br>This binary uses OpenSSL 3.0.2 15 Mar 2022. configure options: '--with-openssl' '--enable-ssl' '--enable-ssl-crtd' '--enable-icap-client' '--enable-linux-netfilter'<br></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr">And the tproxy configuration works perfectly using http without ssl,</div><div dir="ltr">But using ssl I'm getting in browser ssl error "ERR_SSL_PROTOCOL_ERROR"</div><div dir="ltr">And using curl I get the following output:</div><div dir="ltr"><br></div><div dir="ltr">$ curl -iv <a href="https://www.google.com/" target="_blank">https://www.google.com</a> --cert ~/myCA.der<br>* Trying 172.217.22.68:443...<br>* Connected to <a href="http://www.google.com/" target="_blank">www.google.com</a> (172.217.22.68) port 443 (#0)<br>* ALPN, offering h2<br>* ALPN, offering http/1.1<br>* could not load PEM client certificate, OpenSSL error error:0480006C:PEM routines::no start line, (no key found, wrong pass phrase, or wrong file format?)<br>* Closing connection 0<br>curl: (58) could not load PEM client certificate, OpenSSL error error:0480006C:PEM routines::no start line, (no key found, wrong pass phrase, or wrong file format?)<div></div><div><br></div><div>Squid's configuration:</div><div>http_port <a href="http://0.0.0.0:3130" target="_blank">0.0.0.0:3130</a> tproxy ssl-bump \<br> cert=/usr/local/squid/etc/ssl_cert/myCA.der \<br> key=/usr/local/squid/etc/ssl_cert/myCA.pem \<br> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB<br></div><div><br></div><div>iptables rule:</div><div>$ sudo iptables -t mangle -L<br>Chain PREROUTING (policy ACCEPT)<br>target prot opt source destination <br>DIVERT tcp -- anywhere anywhere socket<br>TPROXY tcp -- anywhere anywhere tcp dpt:http TPROXY redirect <a href="http://0.0.0.0:3129" target="_blank">0.0.0.0:3129</a> mark 0x1/0x1<br>TPROXY tcp -- anywhere anywhere tcp dpt:https TPROXY redirect <a href="http://0.0.0.0:3130" target="_blank">0.0.0.0:3130</a> mark 0x1/0x1<br><br>Chain INPUT (policy ACCEPT)<br>target prot opt source destination <br><br>Chain FORWARD (policy ACCEPT)<br>target prot opt source destination <br><br>Chain OUTPUT (policy ACCEPT)<br>target prot opt source destination <br><br>Chain POSTROUTING (policy ACCEPT)<br>target prot opt source destination <br><br>Chain DIVERT (1 references)<br>target prot opt source destination <br>MARK all -- anywhere anywhere MARK set 0x1<br>ACCEPT all -- anywhere anywhere<br></div><div><br></div><div>Did I miss something?</div><div><br></div><div>Thanks,</div><div>Ben</div></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr"> </div></div>
</blockquote></div>