I'm using
sslproxy_foreign_intermediate_certs
Is this the same thing?
Also is there anywhere to get a bundle of all the major CA intermdiate certs or
do you have to download them all manually?
Cheers, oli...@lennox-it.uk
lennox-it.uk
tel: 07900 648 252
From: Yuri <yvoi...@gmail.com>
To: squid-users@lists.squid-cache.org
Sent: Tuesday, 18 April 2017, 13:51
Subject: Re: [squid-users] HTTPS woes
Try to specify roots CA bundle/dir explicity by specifying one of this
params:
# TAG: sslproxy_cafile
# file containing CA certificates to use when verifying server
# certificates while proxying https:// URLs
#Default:
# none
# TAG: sslproxy_capath
# directory containing CA certificates to use when verifying
# server certificates while proxying https:// URLs
#Default:
# none
18.04.2017 18:46, Olly Lennox пишет:
> Hi All,
>
> Still having problems here. This is my https config now:
>
>
> ---------------------------------https_port 3129 intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/etc/squid3/ssl_cert/squid.crt key=/etc/squid3/ssl_cert/squid.key
> options=NO_SSLv3 dhparams=/etc/squid3/ssl_cert/dhparam.pem
>
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
> sslproxy_cipher
> EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>
> sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
> sslcrtd_children 8 startup=1 idle=1
>
> ---------------------------------
>
>
> I'm running version 3.5.23 with openssl 1.0. I've had to disable libecap
> because I couldn't build 3.5 with ecap enabled. I'm getting the following
> error when trying to connect with SSL:
>
> ---------------------------------
>
> The following error was encountered while trying to retrieve the URL:
> https://www.google.co.uk/*
>
> Failed to establish a secure connection to 216.58.198.67
>
> The system returned:
>
> (71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
> SSL Certficate error: certificate issuer (CA) not known:
> /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
>
> This proxy and the remote host failed to negotiate a mutually acceptable
> security settings for handling your request. It is possible that the remote
> host does not support secure connections, or the proxy is not satisfied with
> the host security credentials.
>
> Your cache administrator is webmaster.
>
> Generated Tue, 18 Apr 2017 12:23:40 GMT by raspberrypi (squid/3.5.23)
> ---------------------------------
>
> The CA is always listed as not known not matter what site I try I always get
> this error.
>
> Any ideas?
>
> Thanks,
>
> Olly
>
> ________________________________
> From: Olly Lennox <oli...@lennox-it.uk>
> To: Amos Jeffries <squ...@treenet.co.nz>; "squid-users@lists.squid-cache.org"
> <squid-users@lists.squid-cache.org>
> Sent: Sunday, 16 April 2017, 9:31
> Subject: Re: [squid-users] HTTPS woes
>
>
>
> Thanks Amos, it's finally built but I had to disabled ecap, for whatever
> reason this kept failing (with version 1.0.1 installed). It failed on a
> reference to the Area function I think but I don't have the error message
> copied. I'm trying now to configure the ssl stare/peek and will let you know
> how it goes.
>
> Olly
>
> oli...@lennox-it.uk
> lennox-it.uk
> tel: 07900 648 252
>
>
>
> ________________________________
> From: Amos Jeffries <squ...@treenet.co.nz>
> To: squid-users@lists.squid-cache.org
> Sent: Saturday, 15 April 2017, 23:07
> Subject: Re: [squid-users] HTTPS woes
>
>
>
> On 15/04/2017 9:59 a.m., Olly Lennox wrote:
>> Hi Guys.
>> I'm still struggling with this. I'm trying to build a version of 3.5 but I
>> just can't get it to work. I'm currently attempting to rebuild the stretch
>> package with SSL enabled but build keeps failing with the following:
>> ../../src/ssl/gadgets.h:83:45: error: âCRYPTO_LOCK_X509â was not declared in
>> this scope typedef LockingPointer<X509, X509_free_cpp, CRYPTO_LOCK_X509>
>> X509_Pointer;
>> ^~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:83:61: error: template argument 3 is
>> invalid typedef LockingPointer<X509, X509_free_cpp, CRYPTO_LOCK_X509>
>> X509_Pointer;
>> ^../../src/ssl/gadgets.h:89:53: error: âCRYPTO_LOCK_EVP_PKEYâ was not
>> declared in this scope typedef LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp,
>> CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;
>> ^~~~~~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:89:73: error:
>> template argument 3 is invalid typedef LockingPointer<EVP_PKEY,
>> EVP_PKEY_free_cpp, CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;
>>
>> ^../../src/ssl/gadgets.h:116:43: error: âCRYPTO_LOCK_SSLâ was not declared
>> in this scope typedef LockingPointer<SSL, SSL_free_cpp, CRYPTO_LOCK_SSL>
>> SSL_Pointer;
>> ^~~~~~~~~~~~~~~../../src/ssl/gadgets.h:116:58: error: template argument 3 is
>> invalid typedef LockingPointer<SSL, SSL_free_cpp, CRYPTO_LOCK_SSL>
>> SSL_Pointer; ^
>> Any ideas?
>
>
> On Jesse/stable:
>
> apt-get build-dep squid3
> apt-get install libss-dev
>
>
> On stretch/testing/unstable:
>
> apt-get build-dep squid
> apt-get install libss1.0-dev
>
>
> That should do it for you.
>
> Amos
>
>
> _______________________________________________
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
