RE: [squid-users] Centos 6.5 , Squid 3.4.3-1.el6.i386 Transparent HTTPS , SSL_BUMP , HTTPS part not working from Robert Becskei on 2014-03-30 (squid-users)

From: Robert Becskei <robert.becskei_at_gmail.com>
Date: Sun, 30 Mar 2014 12:13:00 +0200

SOLVED!!!!!! FOR ANYONE HAVING SAME ISSUES , FOLLOWS COMPLETE SOLUTION NOW

Step 1 :

/etc/init.d/squid stop

STEP 2 : ( which I think should be solved by SQUID in a next update cause
this could be categorized as a bug )

Delete fiels in /var/lib/ssl_db/certs , then empty index.txt and change
number in size file to 0

This must be done because if SQUID generated for your sites Certificates
using some other Certificates, it WONT BE OVERWRITTEN If you change to a new
certificate. Example you generated www.grc.com certificate with a previous
certificate then u changed to some Other certificate and continued with it
... www.grc.com certificate is kept with old info , which in turn causes
problems later on.
( this could happen to you if you don't succeed at setting it up at first
and play around with certificates, or for example your certificate expires
And you need to issue a new one )
DON'T FORGE if you change the CERTIFICATE in SQUID empty
/var/lib/ssl_db/certs and index.txt and size to 0 , otherwise it wont work
@!#!@#!@

STEP 3:

I created certificates this way because it is a lot simplier :

Cd /etc/squid/ssl_cert

openssl req -new -newkey rsa:1024 -days 1365 -nodes -x509 -keyout myca.pem
-out myca.pem ( this is for squid )

openssl x509 -in myca.pem -outform DER -out myca.der ( for Windows XP in
this case )

STEP 4 :

Alter squid conf (my previous on only this line ) https_port 3129 intercept
ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem

STEP 5 :

Move mycert.der to WindowsXP client and add it to root trusted certificates

I just tested : It works on my Cent OS 6.5 box with SQUID 3.4.3-1.el6 with
Firefox, Internet Explorer, and Chrome
NOTE : Chrome seems to use the same certificate store as IE, but you still
need to add in IE as well. Remember : everywhere To root trusted
sertificates and viola, it works!

STEP 6 :

Someone should do something about squid somehow checking if existing keys in
/var/lib/ssl_db match with new certificates , I don't know How this
generation works, but I guess It (could?) be possible to remove invalid
certificates ?

Greetings
Robert

Ps.; I'm so happpyyyyy : )
Received on Sun Mar 30 2014 - 10:13:26 MDT

This archive was generated by hypermail 2.2.0 : Mon Mar 31 2014 - 12:00:05 MDT