[squid-users] Certificate error using using squid with tproxy configuration

Ben Goz ben.goz87 at gmail.com
Thu Jun 15 11:51:40 UTC 2023 

By the help of God

Update the squid.conf:
http_port 0.0.0.0:3128
http_port 0.0.0.0:3129 tproxy
http_port 0.0.0.0:3130 tproxy ssl-bump \
  cert=/usr/local/squid/etc/ssl_cert/myCA.pem \
  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

# For squid 4.x
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
/var/lib/ssl_db -M 4MB

acl step1 at_step SslBump1

ssl_bump peek step1
ssl_bump bump all

Still the same issue.

‫בתאריך יום ה׳, 15 ביוני 2023 ב-14:31 מאת ‪Ben Goz‬‏ <‪ben.goz87 at gmail.com
‬‏>:‬

> By the help of God.
>
> Hi,
> I'm using squid with tproxy including https interception configuration.
>
> The squid version is:
> $ /usr/local/squid/sbin/squid -v
> Squid Cache: Version 7.0.0-VCS
> Service Name: squid
>
> This binary uses OpenSSL 3.0.2 15 Mar 2022. configure options:
>  '--with-openssl' '--enable-ssl' '--enable-ssl-crtd' '--enable-icap-client'
> '--enable-linux-netfilter'
>
>
> And the tproxy configuration works perfectly using http without ssl,
> But using ssl I'm getting in browser ssl error "ERR_SSL_PROTOCOL_ERROR"
> And using curl I get the following output:
>
> $ curl -iv https://www.google.com --cert ~/myCA.der
> *   Trying 172.217.22.68:443...
> * Connected to www.google.com (172.217.22.68) port 443 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * could not load PEM client certificate, OpenSSL error error:0480006C:PEM
> routines::no start line, (no key found, wrong pass phrase, or wrong file
> format?)
> * Closing connection 0
> curl: (58) could not load PEM client certificate, OpenSSL error
> error:0480006C:PEM routines::no start line, (no key found, wrong pass
> phrase, or wrong file format?)
>
> Squid's configuration:
> http_port 0.0.0.0:3130 tproxy ssl-bump \
>   cert=/usr/local/squid/etc/ssl_cert/myCA.der \
>   key=/usr/local/squid/etc/ssl_cert/myCA.pem \
>   generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>
> iptables rule:
> $ sudo iptables -t mangle -L
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> DIVERT     tcp  --  anywhere             anywhere             socket
> TPROXY     tcp  --  anywhere             anywhere             tcp dpt:http
> TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1
> TPROXY     tcp  --  anywhere             anywhere             tcp
> dpt:https TPROXY redirect 0.0.0.0:3130 mark 0x1/0x1
>
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
>
> Chain DIVERT (1 references)
> target     prot opt source               destination
> MARK       all  --  anywhere             anywhere             MARK set 0x1
> ACCEPT     all  --  anywhere             anywhere
>
> Did I miss something?
>
> Thanks,
> Ben
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20230615/dfbb2130/attachment.htm>

More information about the squid-users mailing list