[squid-users] https transparent proxy

Hi All,

Switch: WS-C3560-24PS-S, Version 12.2(44)SE5
OS: CentOS 6.4 64bit
Squid Cache: Version 3.1.10

I have configure http and https transparent proxy. http is working but
https I get below ssl error. Can someone help me?

=== ERROR ===
-----BEGIN SSL SESSION PARAMETERS-----
MGQCAQECAgMBBAIAhAQABDAtguTUdfjS+XHNMVH8yE/G7mrHLTAiQP3+WGHcw7Qn
TCQ+/HyRryhbeVj8du7ZKIahBgIEUhGoW6IEAgIBLKQCBACmEQQPbWFpbC5nb29n
bGUuY29t
-----END SSL SESSION PARAMETERS-----
2013/08/19 05:08:47| clientNegotiateSSL: Error negotiating SSL
connection on FD 11: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca (1/0)
-----BEGIN SSL SESSION PARAMETERS-----
MGQCAQECAgMBBAIAhAQABDA1gje2u6jj32VBrrNC1l2GV9/M5waLsEfxjZwvUwrU
TtpKFa0MiX4doFE59hPyFsihBgIEUhGoYKIEAgIBLKQCBACmEQQPcGx1cy5nb29n
bGUuY29t
-----END SSL SESSION PARAMETERS-----
2013/08/19 05:08:56| clientNegotiateSSL: Error negotiating SSL
connection on FD 11: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca (1/0)
2013/08/19 05:09:12| clientNegotiateSSL: Error negotiating SSL
connection on FD 11: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca (1/0)
2013/08/19 05:09:44| clientNegotiateSSL: Error negotiating SSL
connection on FD 11: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca (1/0)
2013/08/19 05:10:49| clientNegotiateSSL: Error negotiating SSL
connection on FD 11: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca (1/0)

=== ERROR ===

=== IPTABLES ===
iptables -t nat -A PREROUTING -i bond0 -p tcp -m tcp -s 10.200.33.0/24
--dport 80 -j DNAT --to-destination 10.200.41.76:3127
iptables -t nat -A PREROUTING -i bond0 -p tcp -m tcp -s 10.200.33.0/24
--dport 443 -j DNAT --to-destination 10.200.41.76:3129
=== IPTABLES ===

=== SQUID CONFIGURATION ===
http_port 3128
http_port 3127 intercept
https_port 3129 intercept ssl-bump cert=/etc/squid/myconfigure.pem
key=/etc/squid/myconfigure.pem
ssl_bump allow all
always_direct allow all

wccp2_router 10.200.41.1
wccp2_forwarding_method 2
wccp2_return_method 2
wccp2_assignment_method mask
wccp2_service standard 0
wccp2_service dynamic 70
wccp2_service_info 70 protocol=tcp flags=dst_ip_hash priority=240 ports=443
wccp2_weight 1000

squid -v
Squid Cache: Version 3.1.10
configure options: '--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu'
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--datadir=/usr/share' '--includedir=/usr/include'
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--enable-internal-dns'
'--disable-strict-error-checking' '--exec_prefix=/usr'
'--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--with-logdir=$(localstatedir)/log/squid'
'--with-pidfile=$(localstatedir)/run/squid.pid'
'--disable-dependency-tracking' '--enable-arp-acl'
'--enable-follow-x-forwarded-for'
'--enable-auth=basic,digest,ntlm,negotiate'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth'
'--enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth'
'--enable-digest-auth-helpers=password,ldap,eDirectory'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
'--enable-cache-digests' '--enable-cachemgr-hostname=localhost'
'--enable-delay-pools' '--enable-epoll' '--enable-icap-client'
'--enable-ident-lookups' '--enable-linux-netfilter'
'--enable-referer-log' '--enable-removal-policies=heap,lru'
'--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs'
'--enable-useragent-log' '--enable-wccpv2' '--enable-esi' '--with-aio'
'--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl'
'--with-openssl' '--with-pthreads'
'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu'
'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' 'LDFLAGS=-pie'
'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie'
--with-squid=/builddir/build/BUILD/squid-3.1.10

=== SQUID CONFIGURATION ===

=== SWITCH CONFIGURATION ===
ip wccp web-cache redirect-list 101 group-list 50
ip wccp 70 redirect-list 101 group-list 50
!
!
interface Vlan33
 ip address 10.200.33.1 255.255.255.0
 ip wccp web-cache redirect in
 ip wccp 70 redirect in
!
!
access-list 50 permit 10.200.41.76
access-list 101 permit tcp 10.200.33.0 0.0.0.255 any eq www
access-list 101 permit tcp 10.200.33.0 0.0.0.255 any eq 443

sh ip wccp
Global WCCP information:
    Router information:
Router Identifier: 10.200.41.1
Protocol Version: 2.0

    Service Identifier: web-cache
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 0
 Process: 0
 CEF: 0
Redirect access-list: 101
Total Packets Denied Redirect: 0
Total Packets Unassigned: 21
Group access-list: 50
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0

    Service Identifier: 70
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 0
          Process: 0
 CEF: 0
Redirect access-list: 101
Total Packets Denied Redirect: 0
Total Packets Unassigned: 42
Group access-list: 50
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0

sh ip wccp web-cache view
    WCCP Routers Informed of:
10.200.41.1

    WCCP Clients Visible:
10.200.41.76

    WCCP Clients NOT Visible:
-none-

sh ip wccp 70 view
    WCCP Routers Informed of:
10.200.41.1

    WCCP Clients Visible:
10.200.41.76

    WCCP Clients NOT Visible:
-none-

sh ip wccp 70 detail
WCCP Client information:
WCCP Client ID: 10.200.41.76
Protocol Version: 2.0
State: Usable
Redirection: L2
Packet Return: L2
Packets Redirected: 0
Connect Time: 14:50:32
Assignment: MASK

Mask SrcAddr DstAddr SrcPort DstPort
---- ------- ------- ------- -------
0000: 0x00000000 0x00001741 0x0000 0x0000

Value SrcAddr DstAddr SrcPort DstPort CE-IP
----- ------- ------- ------- ------- -----
0000: 0x00000000 0x00000000 0x0000 0x0000 0x0AC8294C (10.200.41.76)

sh ip wccp web-cache detail
WCCP Client information:
WCCP Client ID: 10.200.41.76
Protocol Version: 2.0
State: Usable
Redirection: L2
Packet Return: L2
Packets Redirected: 0
Connect Time: 14:51:02
Assignment: MASK

Mask SrcAddr DstAddr SrcPort DstPort
---- ------- ------- ------- -------
0000: 0x00000000 0x00001741 0x0000 0x0000

Value SrcAddr DstAddr SrcPort DstPort CE-IP
----- ------- ------- ------- ------- -----
0000: 0x00000000 0x00000000 0x0000 0x0000 0x0AC8294C (10.200.41.76)
=== SWITCH CONFIGURATION ===
Received on Mon Aug 19 2013 - 07:23:03 MDT