Hi All, Still having problems here. This is my https config now:
---------------------------------https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squid.crt key=/etc/squid3/ssl_cert/squid.key options=NO_SSLv3 dhparams=/etc/squid3/ssl_cert/dhparam.pem acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1 --------------------------------- I'm running version 3.5.23 with openssl 1.0. I've had to disable libecap because I couldn't build 3.5 with ecap enabled. I'm getting the following error when trying to connect with SSL: --------------------------------- The following error was encountered while trying to retrieve the URL: https://www.google.co.uk/* Failed to establish a secure connection to 216.58.198.67 The system returned: (71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) SSL Certficate error: certificate issuer (CA) not known: /C=US/O=Equifax/OU=Equifax Secure Certificate Authority This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials. Your cache administrator is webmaster. Generated Tue, 18 Apr 2017 12:23:40 GMT by raspberrypi (squid/3.5.23) --------------------------------- The CA is always listed as not known not matter what site I try I always get this error. Any ideas? Thanks, Olly ________________________________ From: Olly Lennox <oli...@lennox-it.uk> To: Amos Jeffries <squ...@treenet.co.nz>; "squid-users@lists.squid-cache.org" <squid-users@lists.squid-cache.org> Sent: Sunday, 16 April 2017, 9:31 Subject: Re: [squid-users] HTTPS woes Thanks Amos, it's finally built but I had to disabled ecap, for whatever reason this kept failing (with version 1.0.1 installed). It failed on a reference to the Area function I think but I don't have the error message copied. I'm trying now to configure the ssl stare/peek and will let you know how it goes. Olly oli...@lennox-it.uk lennox-it.uk tel: 07900 648 252 ________________________________ From: Amos Jeffries <squ...@treenet.co.nz> To: squid-users@lists.squid-cache.org Sent: Saturday, 15 April 2017, 23:07 Subject: Re: [squid-users] HTTPS woes On 15/04/2017 9:59 a.m., Olly Lennox wrote: > Hi Guys. > I'm still struggling with this. I'm trying to build a version of 3.5 but I > just can't get it to work. I'm currently attempting to rebuild the stretch > package with SSL enabled but build keeps failing with the following: > ../../src/ssl/gadgets.h:83:45: error: âCRYPTO_LOCK_X509â was not declared in > this scope typedef LockingPointer<X509, X509_free_cpp, CRYPTO_LOCK_X509> > X509_Pointer; > ^~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:83:61: error: template argument 3 is > invalid typedef LockingPointer<X509, X509_free_cpp, CRYPTO_LOCK_X509> > X509_Pointer; > ^../../src/ssl/gadgets.h:89:53: error: âCRYPTO_LOCK_EVP_PKEYâ was not > declared in this scope typedef LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, > CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer; > ^~~~~~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:89:73: error: > template argument 3 is invalid typedef LockingPointer<EVP_PKEY, > EVP_PKEY_free_cpp, CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer; > > ^../../src/ssl/gadgets.h:116:43: error: âCRYPTO_LOCK_SSLâ was not declared in > this scope typedef LockingPointer<SSL, SSL_free_cpp, CRYPTO_LOCK_SSL> > SSL_Pointer; > ^~~~~~~~~~~~~~~../../src/ssl/gadgets.h:116:58: error: template argument 3 is > invalid typedef LockingPointer<SSL, SSL_free_cpp, CRYPTO_LOCK_SSL> > SSL_Pointer; ^ > Any ideas? On Jesse/stable: apt-get build-dep squid3 apt-get install libss-dev On stretch/testing/unstable: apt-get build-dep squid apt-get install libss1.0-dev That should do it for you. Amos _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
