On 01/03/11 21:49, arielf wrote:
Hello, I am trying to use Squid as proxy so that traffic goes through an icap service I built and continues to intended site. I will have several clients (browsers) that are accessing several server sites. I need help configuring https correctly :( I tried testing out my configuration using a broswer from ip: 9.148.16.192 I used firefox foxyproxy plugin to direct http traffic to 9.148.26.247:3128 and https to 3129 (machine/ports where my squid is listening, checked this with netstat) I started testing two sites, one http and another https: 1. http://mydomain.com/MyCRM/index.php 2. https://9.148.26.247:8443/ - this site runs on tomcat that I configured with mykey.jks when I start I get all OK messages: 2011/03/01 08:23:40| Accepting HTTP connections at [::]:3128, FD 15. 2011/03/01 08:23:40| Accepting HTTPS connections at [::]:3129, FD 16. 2011/03/01 08:23:40| HTCP Disabled. 2011/03/01 08:23:40| Configuring Parent 9.148.16.192/3129/0 when I try site 1 (http) all seems to work fine. however when I try site 2, I get an error: 2011/03/01 08:37:54| clientNegotiateSSL: Error negotiating SSL connection on FD 12: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request (1/-1) where am I going wrong??
The wrong step is in using https_port to receive traffic from the browser. Those ports are for receiving a SSL/TLS encrypted connection. None of the popular browsers support such encryption on the link between themselves and proxies.
The browser wraps https:// inside a plain-text HTTP method called CONNECT and sends it to the Squid port. The encrypted part goes through a tunnel the CONNECT creates.
This error message about negotiating is due to https_port failing to decrypt the non-encrypted CONNECT.
In order to break into the CONNECT requests you will need the ssl-bump mode enabled on the normal http_port. Then send both HTTP and HTTPS traffic to the same proxy port via regular browser proxy settings.
Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.11 Beta testers wanted for 3.2.0.5