On 28/02/2014 7:13 a.m., johnmccain_2@xxxxxxxxx wrote: > hi everyone, > > i hope someone can help me :) i have this problem: > > squid is running as a ssl transparent proxy, and at the moment it's receiving > all the traffic with these two iptables rules: > > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port > 3128 > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port > 3130 > > so far no problem at all. everything works perfect ... but when i add any > simple acl to block a ssl website, i get this browser's error: ssl connection > error (ERR_SSL_PROTOCOL_ERROR) > > also, if i try to run squid with the line currently commented in the conf > pasted below, i get a certificate error (domain mismatch) from the client. > > http_port 3128 intercept > https_port 3130 intercept ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/proxy_matrix- > test_com.crt key=/usr/local/squid/ssl_cert/squid.key > acl broken_sites dstdomain google.it > ssl_bump none localnet > ssl_bump none broken_sites > #ssl_bump server-first all That looks to me like you are not decrypting (bumping) anything at all with this config. If so, then any ACL will be causing HTTP plain-text response to go back to TLS connection attempts. The browser will of course barf at that. You can verify that with a simple test log: acl foo myportname 3130 access_log stdio:/foo.log squid foo - it should log some requests going through with full URLs with visible path portions (not the truncated ones). You need to uncomment the "ssl_bump server-first allow all" line and ensure that the bumping is working there before you can move on to use ACLs to control the traffic much. > sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s > /usr/local/squid/var/lib/ssl_db -M 4MB > sslcrtd_children 5 > > (proxy_matrix-test_com.crt is signed by a recognized certification authority) Is it a leaf certificate or a signing cert they approved? There are some strict restrictions on CA distributing anything other than leaf certificates, and Squid requires a signing cert. Amos
