Re: [squid-users] Squid SSL transparent proxy - SSL_connect:error in SSLv2/v3 read server hello A

Hi, Guys,

I found my problem, the problem is I should use the directive
https_port instead of http_port for port 443.

After I change the config in squid.conf to https_port 443
cert=/home/larry/ssl/server.crt key=/home/larry/ssl/server.key
ssl-bump transparent

I restarted squid and found this in the log: (ssl_crtd): Uninitialized
SSL certificate database directory: /opt/squid3/var/lib/ssl_db. To
initialize, run "ssl_crtd -c -s /opt/squid3/var/lib/ssl_db".

So I go and run that command: sudo -u proxy ./ssl_crtd -c -s
/opt/squid3/var/lib/ssl_db

but it results in error:
Initialization SSL db...
./ssl_crtd: Cannot create /opt/squid3/var/lib/ssl_db

I can't find further information on why this failed...need help..

--
Cheers ~
Larry
On Fri, Oct 18, 2013 at 9:59 AM, Larry Zhao <thehiddendepth_at_gmail.com> wrote:
> Hi, Eliezer,
>
> Yes, my problem to solve is only to proxy to this specific host, no
> other subdomains need considering.
>
> And to be honest, I am new to this part, from what I could get from
> the page you mentioned, I need to use ssl-bump? Am I right?
> --
>
> Cheers ~
>
> Larry
>
>
> On Fri, Oct 18, 2013 at 2:48 AM, Eliezer Croitoru <eliezer_at_ngtech.co.il> wrote:
>> Hey,
>>
>> Only to this specific host or also all the subdomains etc..
>> It differs a bit..
>> A small look at this wiki:
>> http://wiki.squid-cache.org/Features/MimicSslServerCert
>>
>> Will calrify some doubts and situations which you will might see some
>> problem.
>>
>> Eliezer
>>
>>
>> On 10/17/2013 06:44 PM, Larry Zhao wrote:
>>>
>>> Hi, Guys,
>>>
>>>
>>> I am trying to setup a SSL proxy for one of my internal servers to
>>> visit `https://www.googleapis.com` using Squid, to make my Rails
>>> application on that server to reach `googleapis.com` via the proxy.
>>>
>>>
>>> I am new to this, so my approach is to setup a SSL transparent proxy
>>> with Squid. I build `Squid 3.3` on Ubuntu 12.04, generated a pair of
>>> ssl key and crt, and configure squid like this:
>>>
>>>
>>>      http_port 443 transparent cert=/home/larry/ssl/server.csr
>>> key=/home/larry/ssl/server.key
>>>
>>>
>>> And leaves almost all other configurations default. The authorization
>>> of the dir that holds key/crt is `drwxrwxr-x  2 proxy proxy    4096
>>> Oct 17 15:45 ssl`
>>>
>>>
>>> Back on my dev laptop, I put `<proxy-server-ip> www.googleapis.com` in
>>> my `/etc/hosts` to make the call goes to my proxy server.
>>>
>>>
>>> But when I try it in my rails application, I got:
>>>
>>>
>>>      SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A:
>>> unknown protocol
>>>
>>>
>>> And I also tried with openssl in cli:
>>>
>>>
>>>      openssl s_client -state -nbio -connect www.googleapis.com:443 2>&1
>>> | grep "^SSL"
>>>
>>>      SSL_connect:before/connect initialization
>>>
>>>      SSL_connect:SSLv2/v3 write client hello A
>>>
>>>      SSL_connect:error in SSLv2/v3 read server hello A
>>>
>>>      SSL_connect:error in SSLv2/v3 read server hello A
>>>
>>>
>>>
>>> Where did I do wrong?
>>>
>>> --
>>>
>>> Cheers ~
>>>
>>> Larry
>>>
>>