On 02/16/2010 12:54 PM, Andres Salazar wrote:
> Hello,
>
> Iam still having issues with SSLBump .. apparently iam now getting
> this error when I visit an https site with my browser explicity
> configured to use the https_port .
>
> 2010/02/16 14:31:14| clientNegotiateSSL: Error negotiating SSL
> connection on FD 8: error:1407609B:SSL
> routines:SSL23_GET_CLIENT_HELLO:https proxy request (1/-1)
Hi Andres,
IIRC, SSL bumping at http_port is for dealing with HTTP CONNECT
requests sent by the browser directly to the proxy while https_port is
for bumping transparently intercepted SSL sessions that the browser
tries to establish with the origin server. Your "browser explicitly
configured to use the https_port" description does not fit either of
these use cases.
HTH,
Alex.
> Below is my sanitized config.
>
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl localhost src ::1/128
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
> acl to_localhost dst ::1/128
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src fc00::/7 # RFC 4193 local private network range
> acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 443 # https
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> http_port 3128
> https_port 3129 sslBump cert=/usr/local/squid/etc/server.crt
> key=/usr/local/squid/etc/server.key
> always_direct allow all
> visible_hostname proxy1.komatsu.ca
> unique_hostname proxy1.komatsu.ca
> hierarchy_stoplist cgi-bin ?
> coredump_dir /usr/local/squid/var/cache
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> Notice i didnt use transparent, because I wanted to test it first
> without doing it transparent.
>
> I used this to generate the crt and key:
> openssl genrsa -out server.key 1024
> openssl req -new -key server.key -out /tmp/server.csr
> openssl x509 -req -days 1825 -in /tmp/server.csr -signkey server.key
> -out server.crt
>
> Also.. in regards to the transparent option.. Is it ok if I redirect
> port 443 and 80 from the NAT box to another box on the network via
> iptables? Or should both squid and the NAT gateway be in the same
> network?
>
>
> Thanks
>
> Andres
