[squid-users] Is there a way on client to show proxy's certificate?
GeorgeShen
g2011828 at hotmail.com
Sat Dec 21 19:34:42 UTC 2019
> how is port 3129 defined in squid.conf?
ssl_bump peek step1
ssl_bump stare step2
ssl_bump bump all
http_port 3128
http_port 3129 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
options=SINGLE_DH_USE:SINGLE_ECDH_USE
tls-dh=prime256v1:/usr/local/squid/etc/dhparams.pem
BTW, the https/TLS bump through this server works. when using the openssl
s_client, get this result,
(it says "no peer certificate available"):
$ openssl s_client -connect 192.168.1.35:3129 -showcerts
CONNECTED(00000003)
4659451500:error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version
number:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/ssl/ssl_pkt.c:386:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1576955529
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
and if I run this openssl s_client on the proxy itself (should use the same
version of openssl):
$ openssl s_client -connect 127.0.0.1:3129 -showcerts
CONNECTED(00000003)
140248349009560:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:827:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 311 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1576956256
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
More information about the squid-users
mailing list