Re: [squid-users] Cannot access SSL pages on Squid 3.4 from Amos Jeffries on 2014-03-06 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 07 Mar 2014 10:46:38 +1300

On 2014-03-07 02:47, Filipe_A. wrote:
> I´m new at Squid and I´m having some difficulties on configure squid to
> access SSL pages. I goggled about it a create a certificate and signed
> it,
> but I cannot access any page, I only get message warning and when I
> click on
> proceed anyway I get an squid block message.
>
> I´m using a virtual lab that has two VMs. One with squid and two
> network
> interfaces, one with NAT and another IP of a virtual LAN, in this VM I
> use
> shorewall and it is configured to redirect Internet from th0 to eth1,
> and
> the packages arrived on port 80 are redirect to 3128 and port 443 to
> 3130.
> The other VM has Win XP installed only to test the squid configuration.
>
> Above is my squid.conf file.
> http_port 3128 transparent

"squid -k parse" will tell you the option is called "intercept" now.
Transparency is something different.

>
> https_port 3130 sslbump cert=/usr/etc/squid.pem key=/usr/etc/squid.pem
> generatehost
>
> certificates=on options=NO_SSLv2 dynamic_cert_mem_cache_size=4MB

Missing the intercept option here.

Also, "squid -k parse" will tell you the option is called "ssl-bump".

>
> acl localnet src 192.168.56.0/24 # RFC1918 possible
> internal
> network
>
> ## avoid proxychaining
>
> always_direct allow all
>
> ## Always complete the serverside handshake before clientside
>
> ssl_bump serverfirst all
>

Also, "squid -k parse" will tell you the option does not exist. It looks
like you are wanting the option "server-first".

> ## Allow server side certificate erros such untrusted certificates
>
> sslproxy_cert_error allow all
>
> ## Or maybe deny all server side certificates errors
>
> #sslproxy_cert_error deny all
>
> ## Accept certificates that fail verification
>
> sslproxy_flags DONT_VERIFY_PEER
>

Try to avoid this violation of TLS.
The server-first feature makes it mostly unnecessary now.

<snip>
>
> At the configuration of the squid I set this parameters
>
> ./configure --prefix=/usr --enable-shared --enable-icmp
> --enable-delay-polls
> --enable-sll --enable-ssl --enable-ssl-crtd --enable-linux-netfilter
> --enable-auth --enable-basic-auth-helpers=NCSA,LDAP,SMB
>
> Thanks in advace for the help,
> F.A.
>

Amos
Received on Thu Mar 06 2014 - 21:46:44 MST

This archive was generated by hypermail 2.2.0 : Fri Mar 07 2014 - 12:00:05 MST