Re: [squid-users] squid ssl-bump with icap returns 503

Hi Amos, Just to get back to this, the conclusion is that https_port does not support ssl-bump of requests passing through CONNECT. I’ll terminate the TLS connection in front of squid through a load balancer and use http_port, which works fine. Thank you! Niels Hofmans SITE https://ironpeak.

Re: [squid-users] squid ssl-bump with icap returns 503

On 5/03/21 1:39 am, Niels Hofmans wrote: Hi Amos, Thank you for getting back to me. So if ssl-bump is required on the http(s)_port directive, I end up at: https_port simply means TLS is the transport protocol. The transport is terminated at the proxy. There are many permutations of what is b

Re: [squid-users] squid ssl-bump with icap returns 503

Hi Amos, Thank you for getting back to me. So if ssl-bump is required on the http(s)_port directive, I end up at: http_port 0.0.0.0:3128 https_port 0.0.0.0:3129 ssl-bump intercept \ generate-host-certificates=on dynamic_cert_mem_cache_size=10MB \ cert=/etc/squid/ssl/squid.crt key=/etc/squ

Re: [squid-users] squid ssl-bump with icap returns 503

On 4/03/21 11:36 pm, Niels Hofmans wrote: Hi guys, I’m asking here but since I’m not too comfortable with a mailing list, it’s also on serverfault.com : https://serverfault.com/questions/1055663/squid-icap-not-working-if-using-tls-interception-but-both-work-separately

Re: [squid-users] squid ssl-bump with icap returns 503

Hi, Interestingly this seems to work on a http_proxy listener: http_port 0.0.0.0:3129 ssl-bump \ generate-host-certificates=on dynamic_cert_mem_cache_size=10MB \ cert=/etc/squid/ssl/squid.crt key=/etc/squid/ssl/squid.key #tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.

Re: [squid-users] squid ssl-bump with icap returns 503

Hi, I think I may have found an issue: it only seems to ICAP the CONNECT request, whereas it will not pass any subsequent requests in that CONNECT tunnel to ICAP? So my original implementation did not check for the HTTP method in ICAP, so it returned the wrong CONNECT hostname: OPTIONS icap://

Re: [squid-users] squid ssl-bump with icap returns 503

Would it be possible to dump some icap traffic so we would be able to understand what might cause this issue if at all? Eliezer בתאריך יום ה׳, 4 במרץ 2021, 12:36, מאת Niels Hofmans ‏: > Hi guys, > > I’m asking here but since I’m not too comfortable with a mailing list, > it’s also on serverfault

[squid-users] squid ssl-bump with icap returns 503

Hi guys, I’m asking here but since I’m not too comfortable with a mailing list, it’s also on serverfault.com: https://serverfault.com/questions/1055663/squid-icap-not-working-if-using-tls-interception-but-both-work-separately

Re: [squid-users] Squid SSL-bump error Change Cipher Spec

On 4/12/18 12:18 pm, johnr wrote: >> What are your squid.conf settings now? > > http_port 3128 ssl-bump You are missing a CA certificate for the bumping process to use for the certificates it sends the clients. Also you do not have any ssl_bump lines here. They are required to tell Squid which o

Re: [squid-users] Squid SSL-bump error Change Cipher Spec

>What are your squid.conf settings now? http_port 3128 ssl-bump tls_outgoing_options NO_TICKET,ALL,No_SSLv3 min-version=1.0 -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-

Re: [squid-users] Squid SSL-bump error Change Cipher Spec

On 1/12/18 3:26 pm, John Refwe wrote: > Hi, >   > I have an error when going to a site that is set to be ssl-bumped in squid. >   > I have modified my squid config so that I have not specified any ciphers > (I read in another forum post this would be the way to make it closest > to the standard op

[squid-users] Squid SSL-bump error Change Cipher Spec

Hi,   I have an error when going to a site that is set to be ssl-bumped in squid.   I have modified my squid config so that I have not specified any ciphers (I read in another forum post this would be the way to make it closest to the standard openssl).   The error that I see in squid cache l

Re: [squid-users] squid ssl bump and Adobe Connect

On 06/06/17 18:08, Vieri wrote: From: Alex Rousskov 1496665088.143 6 10.215.145.187 TAG_NONE/400 4428 NONE error:invalid-request - HIER_NONE/- text/html> I recommend finding the place in the debugging cache.log where Squid generates the above error respon

Re: [squid-users] squid ssl bump and Adobe Connect

From: Alex Rousskov > >> 1496665088.143 6 10.215.145.187 TAG_NONE/400 4428 NONE >> error:invalid-request - HIER_NONE/- >> text/html> > I recommend finding the place in the debugging cache.log where Squid > generates the above error response and then going

Re: [squid-users] squid ssl bump and Adobe Connect

On 06/05/2017 06:49 AM, Vieri wrote: > 1496665088.143 6 10.215.145.187 TAG_NONE/400 4428 NONE > error:invalid-request - HIER_NONE/- text/html > Any ideas? I recommend finding the place in the debugging cache.log where Squid generates the above error response and then going backwards to fin

[squid-users] squid ssl bump and Adobe Connect

Hi, I'm reposting this message because my previous email was too big. I'm unable to connect to Adobe Connect through Squid TPROXY. The URL is: https://emeacmsd.acms.com/common/help/en/support/meeting_test.htm # grep -v ^# squid.test.conf | grep -v ^$ http_access allow localhost manager http_

Re: [squid-users] Squid SSL-bump - Not working - No errors

The first problem is that you are using a broken config from Squid-3.1 in a version 3.5 proxy. Please reset your squid.conf and set it up as described by Amos ___ squid-users ma

[squid-users] Squid SSL-bump - Not working - No errors

Dears, I am setting the SSL-bump for squid 3.5 on CentOS 7, I already generated ssl certificate with the below commands: *OPENSSL=/usr/bin/openssl* *SSLDIR=/etc/mydlp/ssl* *mkdir -p $SSLDIR || exit 1* *rm -rf $SSLDIR/** *[ -e $SSLDIR/private.pem ] || $OPENSSL genrsa 4096 > $SSLDIR/private

Re: [squid-users] Squid SSL Bump

On 25/04/2016 2:34 p.m., skeetz9r wrote: > UPDATE ** > > On more digging it seems like the SSL server is using SHA 1 and that may be > the issue here. Any way around that? > Check out the options your OpenSSL library supports. It may or may not support SHA1 being added to the allowed hashes list

Re: [squid-users] Squid SSL Bump

UPDATE ** On more digging it seems like the SSL server is using SHA 1 and that may be the issue here. Any way around that? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-SSL-Bump-tp4677232p4677261.html Sent from the Squid - Users mailing list archive

Re: [squid-users] Squid SSL Bump

When I updated the package, I now see the root CA (AAA) in the list *cat /etc/pki/tls/certs/ca-bundle.crt | grep "AAA"* But the SSL server I am accessing is in the following chain *AAA (issued)-> Intermediate Cert (issued)-> SSL Server Cert* When I grep the ca-bundle, I don't see the Intermed

Re: [squid-users] Squid SSL Bump

On 23/04/2016 7:02 a.m., Zee wrote: > I am doing SSL bump it seems like Squid utilizes openssl library. I went > ahead and updated openssl library to reflect new CA certificates, but it > still fails to work and I see the following error. > "The system returned: > (71) Protocol error (TLS code: X

[squid-users] Squid SSL Bump

I am doing SSL bump it seems like Squid utilizes openssl library. I went ahead and updated openssl library to reflect new CA certificates, but it still fails to work and I see the following error. "The system returned: (71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)"

Re: [squid-users] Squid ssl bump with upstream proxy

Thanks i managed to do it Amos Jeffries wrote > On 2/03/2016 3:02 p.m., Baselsayeh wrote: >> My proxy supports connecting to https website by using >> (Connect Website:443) (as if normal proxy in browser sittings) >> The problem is that the proxy dosent support tunnels > > Yes, that is what we h

Re: [squid-users] Squid ssl bump with upstream proxy

What about B? Will it forward https to parent proxy petfectly? Amos Jeffries wrote > On 2/03/2016 9:48 a.m., Baselsayeh wrote: >> Yuri Voinov wrote >> Aha, I'm stupid. >> >> Squid can't re-crypted peer connections. You need to splice peered >> URL's before tunnel it into your peer. >> >> 28.02

Re: [squid-users] Squid ssl bump with upstream proxy

Amos Jeffries wrote > On 2/03/2016 3:02 p.m., Baselsayeh wrote: >> My proxy supports connecting to https website by using >> (Connect Website:443) (as if normal proxy in browser sittings) >> The problem is that the proxy dosent support tunnels > > Yes, that is what we have been trying to tell you.

Re: [squid-users] Squid ssl bump with upstream proxy

On 2/03/2016 3:02 p.m., Baselsayeh wrote: > My proxy supports connecting to https website by using > (Connect Website:443) (as if normal proxy in browser sittings) > The problem is that the proxy dosent support tunnels Yes, that is what we have been trying to tell you. But then you ask for a conf

Re: [squid-users] Squid ssl bump with upstream proxy

My proxy supports connecting to https website by using (Connect Website:443) (as if normal proxy in browser sittings) The problem is that the proxy dosent support tunnels Can you give me a config example A isnt my option because I use intercepter https port Amos Jeffries wrote > On 2/03/2016 9:4

Re: [squid-users] Squid ssl bump with upstream proxy

On 2/03/2016 9:48 a.m., Baselsayeh wrote: > Yuri Voinov wrote > Aha, I'm stupid. > > Squid can't re-crypted peer connections. You need to splice peered > URL's before tunnel it into your peer. > > 28.02.16 2:07, Baselsayeh пишет: No What I need i need is Get ssl info from browser

Re: [squid-users] Squid ssl bump with upstream proxy

Yuri Voinov wrote > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Aha, I'm stupid. > > Squid can't re-crypted peer connections. You need to splice peered > URL's before tunnel it into your peer. > > 28.02.16 2:07, Baselsayeh пишет: >> No >> What I need i need is >> Get ssl info from br

Re: [squid-users] Squid ssl bump with upstream proxy

Ok can you give me a config example -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-ssl-bump-with-upstream-proxy-tp4676279p4676294.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid

Re: [squid-users] Squid ssl bump with upstream proxy

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Aha, I'm stupid. Squid can't re-crypted peer connections. You need to splice peered URL's before tunnel it into your peer. 28.02.16 2:07, Baselsayeh пишет: > No > What I need i need is > Get ssl info from browser - squid - upstream proxy - inter

Re: [squid-users] Squid ssl bump with upstream proxy

No What I need i need is Get ssl info from browser - squid - upstream proxy - internet Using cache_peer With ssl_bump But for some reason the upstream proxy wont get the https requests All I want is https -> sslbump -> upstream proxy via CONNECT request -- View this message in context: http://s

Re: [squid-users] Squid ssl bump with upstream proxy

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 You need just to install into your downstream proxy CA's from your upstream proxy. :) 28.02.16 1:20, Baselsayeh пишет: > Hello > Im trying to get ssl bump to work with an upstream proxy > The problem is that the upstram proxy only supports CONNECT

[squid-users] Squid ssl bump with upstream proxy

Hello Im trying to get ssl bump to work with an upstream proxy The problem is that the upstram proxy only supports CONNECT and not ssl So I tried with squid http and https intercept ports with ssl bump and genetare host certs is on But it wont work in ssl (http works fine) -- View this message i

[squid-users] Squid SSL Bump Certificates

Hello, I am using squid 3.4.9 with SSL Bump feature. I am using the following https_port directive. https_port 8090 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=Certficate key=Key I am unable to find out where all the certificates are being stored. I was w