Many thanks Amos, I followed your advise, unfortunately I'm not there yet. This is what I did, please see where I went wrong now. I reconfigured squid to use ssl-bump, configured both http and https sites in firefox foxyproxy to port 3128 in squid.conf I removed https section and added: http_port 3128 ssl-bump key=/root/security/mykey.key.pem cert=/root/security/mycert.crt.pem ssl_bump allow all it started ok, but failed again and I tried to access https site 2011/03/01 11:03:51| Accepting bumpy HTTP connections at [::]:3128, FD 15. 2011/03/01 11:03:51| HTCP Disabled. 2011/03/01 11:03:51| Squid modules loaded: 0 2011/03/01 11:03:51| Adaptation support is off. 2011/03/01 11:03:51| Ready to serve requests. 2011/03/01 11:03:52| storeLateRelease: released 0 objects -----BEGIN SSL SESSION PARAMETERS----- MHECAQECAgMBBAIANQQgOETLtr/8z9TaMvWhjyT6g3ZmAB87r+AjuOx7AmD8NvQE MPMyqntXd1ZJwAebb4K+5KKX0f8vnMlQjjFo7kWuK1xJHQZnnu5YBONvcuyIbDj7 yKEGAgRNbRkcogQCAgEspAIEAA== -----END SSL SESSION PARAMETERS----- 2011/03/01 11:04:44| SSL unknown certificate error 20 in /C=IL/ST=NA/L=Haifa/O=IBM/OU=HRL/CN=Magen 2011/03/01 11:04:44| fwdNegotiateSSL: Error negotiating SSL connection on FD 13: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0) after reading other posts with a similar error I added: http_port 3128 ssl-bump key=/root/security/mykey.key.pem cert=/root/security/mycert.crt.pem clientca=/root/security/myCertCA.crt.pem Again it started ok, but failed on a different error trying to proxy an https site: 2011/03/01 11:10:31| Accepting bumpy HTTP connections at [::]:3128, FD 15. 2011/03/01 11:10:31| HTCP Disabled. 2011/03/01 11:10:31| Squid modules loaded: 0 2011/03/01 11:10:31| Adaptation support is off. 2011/03/01 11:10:31| Ready to serve requests. 2011/03/01 11:10:32| storeLateRelease: released 0 objects 2011/03/01 11:11:08| clientNegotiateSSL: Error negotiating SSL connection on FD 12: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate (1/-1) again, please help, what did I do wrong now? Many thanks, Ariel. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/icap-and-https-tp3329449p3329673.html Sent from the Squid - Users mailing list archive at Nabble.com.
