Re: [squid-users] HTTPS woes

Tue, 18 Apr 2017 06:03:45 -0700 


18.04.2017 18:56, Olly Lennox пишет:

I'm using

sslproxy_foreign_intermediate_certs

Is this the same thing?

No. You firstly required CA roots available for squid. CA roots and 
intermediate is the different things.



Also is there anywhere to get a bundle of all the major CA intermdiate 
certs or do you have to download them all manually?

No. You should build it by yourself.


Cheers,
oli...@lennox-it.uk
lennox-it.uk <http://lennox-it.uk/>
tel: 07900 648 252


------------------------------------------------------------------------
*From:* Yuri <yvoi...@gmail.com>
*To:* squid-users@lists.squid-cache.org
*Sent:* Tuesday, 18 April 2017, 13:51
*Subject:* Re: [squid-users] HTTPS woes

Try to specify roots CA bundle/dir explicity by specifying one of this
params:


#  TAG: sslproxy_cafile
#    file containing CA certificates to use when verifying server
#    certificates while proxying https:// URLs
#Default:
# none

#  TAG: sslproxy_capath
#    directory containing CA certificates to use when verifying
#    server certificates while proxying https:// URLs
#Default:
# none



18.04.2017 18:46, Olly Lennox пишет:
> Hi All,
>
> Still having problems here. This is my https config now:
>
>

> ---------------------------------https_port 3129 intercept ssl-bump 
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB 
cert=/etc/squid3/ssl_cert/squid.crt key=/etc/squid3/ssl_cert/squid.key 
options=NO_SSLv3 dhparams=/etc/squid3/ssl_cert/dhparam.pem

>
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE

> sslproxy_cipher 
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

>
> sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
> sslcrtd_children 8 startup=1 idle=1
>
> ---------------------------------
>
>

> I'm running version 3.5.23 with openssl 1.0. I've had to disable 
libecap because I couldn't build 3.5 with ecap enabled. I'm getting 
the following error when trying to connect with SSL:

>
> ---------------------------------
>

> The following error was encountered while trying to retrieve the 
URL: https://www.google.co.uk/*

>
> Failed to establish a secure connection to 216.58.198.67
>
> The system returned:
>

> (71) Protocol error (TLS code: 
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
> SSL Certficate error: certificate issuer (CA) not known: 
/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

>

> This proxy and the remote host failed to negotiate a mutually 
acceptable security settings for handling your request. It is possible 
that the remote host does not support secure connections, or the proxy 
is not satisfied with the host security credentials.

>
> Your cache administrator is webmaster.
>
> Generated Tue, 18 Apr 2017 12:23:40 GMT by raspberrypi (squid/3.5.23)
> ---------------------------------
>

> The CA is always listed as not known not matter what site I try I 
always get this error.

>
> Any ideas?
>
> Thanks,
>
> Olly
>
> ________________________________
> From: Olly Lennox <oli...@lennox-it.uk <mailto:oli...@lennox-it.uk>>

> To: Amos Jeffries <squ...@treenet.co.nz 
<mailto:squ...@treenet.co.nz>>; "squid-users@lists.squid-cache.org 
<mailto:squid-users@lists.squid-cache.org>" 
<squid-users@lists.squid-cache.org 
<mailto:squid-users@lists.squid-cache.org>>

> Sent: Sunday, 16 April 2017, 9:31
> Subject: Re: [squid-users] HTTPS woes
>
>
>

> Thanks Amos, it's finally built but I had to disabled ecap, for 
whatever reason this kept failing (with version 1.0.1 installed). It 
failed on a reference to the Area function I think but I don't have 
the error message copied. I'm trying now to configure the ssl 
stare/peek and will let you know how it goes.

>
> Olly
>
> oli...@lennox-it.uk <mailto:oli...@lennox-it.uk>
> lennox-it.uk
> tel: 07900 648 252
>
>
>
> ________________________________
> From: Amos Jeffries <squ...@treenet.co.nz <mailto:squ...@treenet.co.nz>>

> To: squid-users@lists.squid-cache.org 
<mailto:squid-users@lists.squid-cache.org>

> Sent: Saturday, 15 April 2017, 23:07
> Subject: Re: [squid-users] HTTPS woes
>
>
>
> On 15/04/2017 9:59 a.m., Olly Lennox wrote:
>> Hi Guys.

>> I'm still struggling with this. I'm trying to build a version of 
3.5 but I just can't get it to work. I'm currently attempting to 
rebuild the stretch package with SSL enabled but build keeps failing 
with the following:
>> ../../src/ssl/gadgets.h:83:45: error: âCRYPTO_LOCK_X509â was not 
declared in this scope typedef LockingPointer<X509, X509_free_cpp, 
CRYPTO_LOCK_X509> X509_Pointer; 
^~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:83:61: error: template 
argument 3 is invalid typedef LockingPointer<X509, X509_free_cpp, 
CRYPTO_LOCK_X509> X509_Pointer; ^../../src/ssl/gadgets.h:89:53: error: 
âCRYPTO_LOCK_EVP_PKEYâ was not declared in this scope typedef 
LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, CRYPTO_LOCK_EVP_PKEY> 
EVP_PKEY_Pointer; ^~~~~~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:89:73: 
error: template argument 3 is invalid typedef LockingPointer<EVP_PKEY, 
EVP_PKEY_free_cpp, CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;       
^../../src/ssl/gadgets.h:116:43: error: âCRYPTO_LOCK_SSLâ was not 
declared in this scope typedef LockingPointer<SSL, SSL_free_cpp, 
CRYPTO_LOCK_SSL> SSL_Pointer; 
^~~~~~~~~~~~~~~../../src/ssl/gadgets.h:116:58: error: template 
argument 3 is invalid typedef LockingPointer<SSL, SSL_free_cpp, 
CRYPTO_LOCK_SSL> SSL_Pointer;                                     ^

>> Any ideas?
>
>
> On Jesse/stable:
>
> apt-get build-dep squid3
> apt-get install libss-dev
>
>
> On stretch/testing/unstable:
>
> apt-get build-dep squid
> apt-get install libss1.0-dev
>
>
> That should do it for you.
>
> Amos
>
>
> _______________________________________________
> squid-users mailing list

> squid-users@lists.squid-cache.org 
<mailto:squid-users@lists.squid-cache.org>

> http://lists.squid-cache.org/listinfo/squid-users
>
>
>
> _______________________________________________
> squid-users mailing list

> squid-users@lists.squid-cache.org 
<mailto:squid-users@lists.squid-cache.org>

> http://lists.squid-cache.org/listinfo/squid-users

> _______________________________________________
> squid-users mailing list

> squid-users@lists.squid-cache.org 
<mailto:squid-users@lists.squid-cache.org>

> http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list

squid-users@lists.squid-cache.org 
<mailto:squid-users@lists.squid-cache.org>

http://lists.squid-cache.org/listinfo/squid-users





_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


























					Reply via email to