[squid-users] Https_port with "official" certificate
Amos Jeffries
squid3 at treenet.co.nz
Wed Aug 24 13:46:22 UTC 2016
Just to rewind this conversation to the actual problem ...
On 24/08/2016 11:42 p.m., Samuraiii wrote:
> On 24.8.2016 13:18, Antony Stone wrote:
>> Unfortunately it's not Squid that's the challenge - it's the browser.
>>
>> If you're using Firefox and/or Chrome, you should be okay.
>>
>> See "Encrypted browser-Squid connection" at the bottom of
>> http://wiki.squid-cache.org/Features/HTTPS
>>
>>
>> Antony.
>>
> I have seen that, it is the cause of my subscription to this list.
> I haven't been able to find any usable hints.
> My config attempt fails
>
<snip>
>
> https_port 8443 \
> cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
> key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
> cleintca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
> tls-dh=/etc/ssl/certs/dhparam.pem \
> sslproxy_options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
> cipher=HIGH
As Dio mentioned the cleintca= (or rather clientca=) is for
authenticating clients ceritficates. Don't use that unless you are
requiring client certs in TLS.
The rest of your config looks reasonable to me. I suspect you have found
a bug introduced during all the SSL-Bump code changes. Please make a
bugzilla report and include your exact Squid version (found with the
'squid -v' command), the https_port line(s) and the exact error message
produced on startup.
Amos
More information about the squid-users
mailing list