[squid-users] https interception problem with Squid 5

Eliezer Croitoru ngtech1ltd at gmail.com
Mon Feb 14 10:00:33 UTC 2022 

Can you share the squid.conf so I can try to reproduce the issue here locally and verify how it could  be resolved?

What OS and other relevant details such as “squid -v”  output might help.

 

Thanks,

Eliezer

 

----

Eliezer Croitoru

NgTech, Tech Support

Mobile: +972-5-28704261

Email:  <mailto:ngtech1ltd at gmail.com> ngtech1ltd at gmail.com

 

From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of ns at fabbricapolitica.com
Sent: Monday, February 14, 2022 11:16
To: squid-users at lists.squid-cache.org
Subject: [squid-users] https interception problem with Squid 5

 

Good morning,

I have been using Squid as an http caching proxy for a long time.

It's the second time I configured Squid for https caching and interception/inspection.

The first time everything was fine

The second...not so much.

I use the ssl_bump feature.

With Squid 4.13 and Openssl v 1.1.1k-1 all works well without errors or warnings.

With Squid v. 5.2.1 and Openssl v. 3.0.1, I got one error and one warning.

I tried to use the same squid.conf for Squid 4 and Squid 5.

Here are the problems with Squid 5.

1) ERROR

I checked the configuration with the command "squid -k parse" and I got this error: ERROR: Unable to configure Ephemeral ECDH: error:0480006C:PEM routines::no start line

If I remove the curve name from tls-dh in the config file, the error disappears.

First question: Which is the problem? How can I do to keep the curve name (prime256v1)

2) WARNING

I checked the configuration with the command "squid -k parse" and I got this warning: WARNING: Failed to decode DH parameters '/var/lib/squid/ssl_cert/squid-self-signed_dhparam.pem'

I generated the file for the Diffie-Hellman algorithm with this command (it worked with Squid4): openssl dhparam -outform PEM -out squid-self-signed_dhparam.pem 2048

Second question: Have you an idea on how to fix this?

Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20220214/6ae3a142/attachment.htm>

More information about the squid-users mailing list