Re: [squid-users] HTTPS woes

Olly Lennox Tue, 18 Apr 2017 06:36:12 -0700

So anyone who wants to use Squid over HTTPS in the way has to build this 
repository themselves by manually downloading all the CA bundles?



      From: Yuri <yvoi...@gmail.com>
 To: Olly Lennox <oli...@lennox-it.uk>; "squid-users@lists.squid-cache.org" 
<squid-users@lists.squid-cache.org> 
 Sent: Tuesday, 18 April 2017, 14:03
 Subject: Re: [squid-users] HTTPS woes
   
 
  
 18.04.2017 18:56, Olly Lennox пишет:
  
  I'm using  
  sslproxy_foreign_intermediate_certs 
  Is this the same thing? 
   
 No. You firstly required CA roots available for squid. CA roots and 
intermediate is the different things.
 
  
  Also is there anywhere to get a bundle of all the major CA intermdiate certs 
or do you have to download them all manually?  
 No. You should build it by yourself.
 
  
  Cheers,   oli...@lennox-it.uk
 lennox-it.uk
 tel: 07900 648 252 
 
        From: Yuri <yvoi...@gmail.com>
 To: squid-users@lists.squid-cache.org 
 Sent: Tuesday, 18 April 2017, 13:51
 Subject: Re: [squid-users] HTTPS woes
  
 Try to specify roots CA bundle/dir explicity by specifying one of this 
 params:
 
 
 #  TAG: sslproxy_cafile
 #    file containing CA certificates to use when verifying server
 #    certificates while proxying https:// URLs
 #Default:
 # none
 
 #  TAG: sslproxy_capath
 #    directory containing CA certificates to use when verifying
 #    server certificates while proxying https:// URLs
 #Default:
 # none
 
 
 
 18.04.2017 18:46, Olly Lennox пишет:
 > Hi All,
 >
 > Still having problems here. This is my https config now:
 >
 >
 > ---------------------------------https_port 3129 intercept ssl-bump 
 > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB  
 > cert=/etc/squid3/ssl_cert/squid.crt key=/etc/squid3/ssl_cert/squid.key 
 > options=NO_SSLv3 dhparams=/etc/squid3/ssl_cert/dhparam.pem
 >
 > acl step1 at_step SslBump1
 > ssl_bump peek step1
 > ssl_bump bump all
 > sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
 > sslproxy_cipherEECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
 >
 > sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
 > sslcrtd_children 8 startup=1 idle=1
 >
 > ---------------------------------
 >
 >
 > I'm running version 3.5.23 with openssl 1.0. I've had to disable libecap 
 > because I couldn't build 3.5 with ecap enabled. I'm getting the following 
 > error when trying to connect with SSL:
 >
 > ---------------------------------
 >
 > The following error was encountered while trying to retrieve the URL: 
 > https://www.google.co.uk/*
 >
 > Failed to establish a secure connection to 216.58.198.67
 >
 > The system returned:
 >
 > (71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
 > SSL Certficate error: certificate issuer (CA) not known: 
 > /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
 >
 > This proxy and the remote host failed to negotiate a mutually acceptable 
 > security settings for handling your request. It is possible that the remote 
 > host does not support secure connections, or the proxy is not satisfied with 
 > the host security credentials.
 >
 > Your cache administrator is webmaster.
 >
 > Generated Tue, 18 Apr 2017 12:23:40 GMT by raspberrypi (squid/3.5.23)
 > ---------------------------------
 >
 > The CA is always listed as not known not matter what site I try I always get 
 > this error.
 >
 > Any ideas?
 >
 > Thanks,
 >
 > Olly
 >
 > ________________________________
 > From: Olly Lennox <oli...@lennox-it.uk>
 > To: Amos Jeffries <squ...@treenet.co.nz>; 
 > "squid-users@lists.squid-cache.org" <squid-users@lists.squid-cache.org>
 > Sent: Sunday, 16 April 2017, 9:31
 > Subject: Re: [squid-users] HTTPS woes
 >
 >
 >
 > Thanks Amos, it's finally built but I had to disabled ecap, for whatever 
 > reason this kept failing (with version 1.0.1 installed). It failed on a 
 > reference to the Area function I think but I don't have the error message 
 > copied. I'm trying now to configure the ssl stare/peek and will let you know 
 > how it goes.
 >
 > Olly
 >  
 > oli...@lennox-it.uk
 > lennox-it.uk
 > tel: 07900 648 252
 >
 >
 >
 > ________________________________
 > From: Amos Jeffries <squ...@treenet.co.nz>
 > To: squid-users@lists.squid-cache.org
 > Sent: Saturday, 15 April 2017, 23:07
 > Subject: Re: [squid-users] HTTPS woes
 >
 >
 >
 > On 15/04/2017 9:59 a.m., Olly Lennox wrote:
 >> Hi Guys.
 >> I'm still struggling with this. I'm trying to build a version of 3.5 but I 
 >> just can't get it to work. I'm currently attempting to rebuild the stretch 
 >> package with SSL enabled but build keeps failing with the following:
 >> ../../src/ssl/gadgets.h:83:45: error: âCRYPTO_LOCK_X509â was not declared 
 >> in this scope typedef LockingPointer<X509, X509_free_cpp, CRYPTO_LOCK_X509> 
 >> X509_Pointer;                                            
 >> ^~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:83:61: error: template argument 3 
 >> is invalid typedef LockingPointer<X509, X509_free_cpp, CRYPTO_LOCK_X509> 
 >> X509_Pointer;                                                            
 >> ^../../src/ssl/gadgets.h:89:53: error: âCRYPTO_LOCK_EVP_PKEYâ was not 
 >> declared in this scope typedef LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, 
 >> CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;                                     
 >>                ^~~~~~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:89:73: error: 
 >> template argument 3 is invalid typedef LockingPointer<EVP_PKEY, 
 >> EVP_PKEY_free_cpp, CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;                  
 >>                                                       
 >> ^../../src/ssl/gadgets.h:116:43: error: âCRYPTO_LOCK_SSLâ was not declared 
 >> in this scope typedef LockingPointer<SSL, SSL_free_cpp, CRYPTO_LOCK_SSL> 
 >> SSL_Pointer;                                          
 >> ^~~~~~~~~~~~~~~../../src/ssl/gadgets.h:116:58: error: template argument 3 
 >> is invalid typedef LockingPointer<SSL, SSL_free_cpp, CRYPTO_LOCK_SSL> 
 >> SSL_Pointer;                                                          ^
 >> Any ideas?
 >
 >
 > On Jesse/stable:
 >
 > apt-get build-dep squid3
 > apt-get install libss-dev
 >
 >
 > On stretch/testing/unstable:
 >
 > apt-get build-dep squid
 > apt-get install libss1.0-dev
 >
 >
 > That should do it for you.
 >
 > Amos
 >
 >
 > _______________________________________________
 > squid-users mailing list
 > squid-users@lists.squid-cache.org
 > http://lists.squid-cache.org/listinfo/squid-users
 >
 >
 >
 > _______________________________________________
 > squid-users mailing list
 > squid-users@lists.squid-cache.org
 > http://lists.squid-cache.org/listinfo/squid-users 
 > _______________________________________________
 > squid-users mailing list
 > squid-users@lists.squid-cache.org
 > http://lists.squid-cache.org/listinfo/squid-users
 
 
 _______________________________________________
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] HTTPS woes

Reply via email to