[squid-users] Certificate error using using squid with tproxy configuration

Ben Goz ben.goz87 at gmail.com
Thu Jun 15 11:31:17 UTC 2023 

By the help of God.

Hi,
I'm using squid with tproxy including https interception configuration.

The squid version is:
$ /usr/local/squid/sbin/squid -v
Squid Cache: Version 7.0.0-VCS
Service Name: squid

This binary uses OpenSSL 3.0.2 15 Mar 2022. configure options:
 '--with-openssl' '--enable-ssl' '--enable-ssl-crtd' '--enable-icap-client'
'--enable-linux-netfilter'


And the tproxy configuration works perfectly using http without ssl,
But using ssl I'm getting in browser ssl error "ERR_SSL_PROTOCOL_ERROR"
And using curl I get the following output:

$ curl -iv https://www.google.com --cert ~/myCA.der
*   Trying 172.217.22.68:443...
* Connected to www.google.com (172.217.22.68) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* could not load PEM client certificate, OpenSSL error error:0480006C:PEM
routines::no start line, (no key found, wrong pass phrase, or wrong file
format?)
* Closing connection 0
curl: (58) could not load PEM client certificate, OpenSSL error
error:0480006C:PEM routines::no start line, (no key found, wrong pass
phrase, or wrong file format?)

Squid's configuration:
http_port 0.0.0.0:3130 tproxy ssl-bump \
  cert=/usr/local/squid/etc/ssl_cert/myCA.der \
  key=/usr/local/squid/etc/ssl_cert/myCA.pem \
  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

iptables rule:
$ sudo iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DIVERT     tcp  --  anywhere             anywhere             socket
TPROXY     tcp  --  anywhere             anywhere             tcp dpt:http
TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1
TPROXY     tcp  --  anywhere             anywhere             tcp dpt:https
TPROXY redirect 0.0.0.0:3130 mark 0x1/0x1

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain DIVERT (1 references)
target     prot opt source               destination
MARK       all  --  anywhere             anywhere             MARK set 0x1
ACCEPT     all  --  anywhere             anywhere

Did I miss something?

Thanks,
Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20230615/7eef0174/attachment.htm>

More information about the squid-users mailing list