[squid-users] Squid 3.4.8 with ssl-bump config.

Amos Jeffries squid3 at treenet.co.nz
Thu May 21 10:42:27 UTC 2015


On 21/05/2015 9:50 p.m., Tony Peña wrote:
> Hi again..
> 
> now work ok the compilation.. but have issues with the https sites.
> 
> squid start ok... but can't see the sites with https on the browser... i
> make the certificate ... and put myCA.der on windows client
> 
> i test it with:
> 1- ssl-bump server-first all
> 2- ssl-bump client-first all
> 
> testing acl with and without...
> acl BadSite ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
> sslproxy_cert_error allow TrustedName
> sslproxy_cert_error allow BadSite
> sslproxy_cert_error deny all
> 
> and nothing  can't see https sites like mail.yahoo.com or facebook.com
> 
> the browser continue put out
> ERROR SSL CONNECTION
> ERR_SSL_PROTOCOL
> 
> i rebuild again many times /var/spool/squid_ssldb
> 
> and the logs continue saying...
> 
>  1432201755.569      0 172.16.1.20 TAG_NONE/400 3640
>  Z%19%98%A50%D7%AD%19%AB%1E - HIER_NONE/- text/html
> 1432201756.077      0 172.16.1.20 TAG_NONE/400 4056 NONE
> error:invalid-request - HIER_NONE/- text/html

<snip>
> 
> here is my config
> ----------------------------------
>  # squid3 -k parse
> 2015/05/21 05:42:10| Startup: Initializing Authentication Schemes ...
> 2015/05/21 05:42:10| Startup: Initialized Authentication Scheme 'basic'
> 2015/05/21 05:42:10| Startup: Initialized Authentication Scheme 'digest'
> 2015/05/21 05:42:10| Startup: Initialized Authentication Scheme 'negotiate'
> 2015/05/21 05:42:10| Startup: Initialized Authentication Scheme 'ntlm'
> 2015/05/21 05:42:10| Startup: Initialized Authentication.
> 2015/05/21 05:42:10| Processing Configuration File: /etc/squid3/squid.conf
> (depth 0)
> 2015/05/21 05:42:10| Processing: http_port 172.16.1.10:3128 intercept
> ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/etc/squid3/ssl/myCA.pem

<snip>
> any idea?

I dont see any sign of an https_port for receiving HTTPS from port 443.

Only a http_port for receiving HTTP from port 80 NAT'ed connections.

Port 443 has an entirely different (TLS protocol) binary syntax. Like
Squid logs say the traffic arriving in binary TLS format are invalid
when trying to interpret them as plain-text HTTP format.


Amos


More information about the squid-users mailing list