Hello, Just installed Google Chrome, to have 3 browsers , same thing, it complains about HTTPS being intercepted... But now I have something in the cache.log finally! fwdNegotiateSSL : Error negotiating SSL connection on FD 16 : error:14090086:SSL routines : SSL3_GET_SERVER_CERTIFICATE :certificate verify failed (1/-1/0) This a couple of times Then WARNING : all 5/5 ssl_crtd processes are busy WARNING : 5 pending requests queued WARNING : consider increasing the number of ssl_crtd processes in your config file I am the only one using this proxy from another vmware workstation virtual pc... Greetings Robert -----Ursprüngliche Nachricht----- Von: Rafael Akchurin [mailto:rafael.akchurin@xxxxxxxxxxxx] Gesendet: Samstag, 29. März 2014 13:07 An: Robert Becskei; squid-users@xxxxxxxxxxxxxxx Betreff: Re: Centos 6.5 , Squid 3.4.3-1.el6.i386 Transparent HTTPS , SSL_BUMP , HTTPS part not working Hello Robert, I had the same error with Firefox only, for me the solution was to patch gadgets.cc as indicated here https://github.com/ra-at-diladele-com/qlproxy_external/wiki/Filtering-HTTPS Raf. On 3/29/14 12:53 PM, "Robert Becskei" <robert.becskei@xxxxxxxxx> wrote: >Hello everyone, > > These are the steps I did to install this server (inside vmware >workstation): > >Ifconfig eth0 192.168.186.250 >Ifconfig eth0:0 192.168.201.250 >Ip_forward enabled > >1. Install centos 6 > >2. Upgrade centos 6 (yum upgrade) > >3. Disable SeLinux ( I don¹t like it) > >4. Reboot > >5. Enable epel repo > >cd /home >wget >http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.r >pm >rpm Uvh epel-release-6.8.noarch.rpm > >6. Enable Squid repo >cd /etc/yum.repos.d >vi SQUID.repo >[squid] >name=Squid repo for CentOS 6 >baseurl=http://www1.ngtech.co.il/rpm/centos/6/i686 >failovermethod=priority >enabled=1 >gpgcheck=0 > >7. Yum update >yum install perl-Crypt-OpenSSL-X509 >yum install squid > >8. /usr/lib/squid/ssl_crtd c s /var/lib/ssl_db > >9. Create certificates for SQUID like this cd /etc/pki/CA cp >/etc/pki/tls/openssl.cnf openssl.cnf then I¹ve edited the openssl.conf >like this >dir = . # Where everything is kept >certificate = $dir/certs/ca.crt # The CA certificate >private_key = $dir/private/ca.key # The private key > >+ filed in default values for company, site, domain , e-mail address. > > > 10. Created key's like this : >openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout >private/ca.key -out certs/ca.crt -days 3650 openssl req -config >openssl.cnf -new -nodes -keyout private/home.key -out home.csr -days >3650 openssl ca -config openssl.cnf -policy policy_anything -out >certs/home.crt -infiles home.csr > >11. Copied the files to SQUID folder > >/etc/squid/ssl_cert/ca.crt >/etc/squid/ssl_cert/home.crt >/etc/squid/ssl_cert/private/home.key >Cd /etc/squid/ssl_cert/private/ >Cp home.key home.back >Openssl rsa -in home.bak -out home.key > >12. SQUID config >acl localnet src 192.168.201.0/24 > >acl SSL_ports port 443 >acl Safe_ports port 80 # http >acl Safe_ports port 21 # ftp >acl Safe_ports port 443 # https >acl Safe_ports port 70 # gopher >acl Safe_ports port 210 # wais >acl Safe_ports port 1025-65535 # unregistered ports >acl Safe_ports port 280 # http-mgmt >acl Safe_ports port 488 # gss-http >acl Safe_ports port 591 # filemaker >acl Safe_ports port 777 # multiling http >acl CONNECT method CONNECT > >http_access deny !Safe_ports >http_access deny CONNECT !SSL_ports > >http_access allow all > >http_port 3130 > >http_port 3128 intercept >https_port 3129 intercept ssl-bump generate-host-certificates=on >dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/home.crt >key=/etc/squid/ssl_cert/private/home.key > >#always_direct allow all >ssl_bump server-first all >#sslproxy_cert_error allow all >#sslproxy_flags DONT_VERIFY_PEER > >sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB >sslcrtd_children 5 > >coredump_dir /var/spool/squid > ># Add any of your own refresh_pattern entries above these. >refresh_pattern ^ftp: 1440 20% 10080 >refresh_pattern ^gopher: 1440 0% 1440 >refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 >refresh_pattern . 0 20% 4320 > > >shutdown_lifetime 1 second > >#debug_options ALL,2 > > >13. DNS server on this machine (so that proxy.home.lan resolves...) >/etc/named.conf // // named.conf // // Provided by Red Hat bind package >to configure the ISC BIND named(8) DNS // server as a caching only >nameserver (as a localhost DNS resolver only). >// >// See /usr/share/doc/bind*/sample/ for example named configuration files. >// > >acl mynet { > 192.168.201.0/24; # test network > 127.0.0.1; # localhost > }; > >options { > listen-on { > mynet; > }; > listen-on-v6 port 53 { ::1; }; > directory "/var/named"; > dump-file "/var/named/data/cache_dump.db"; > statistics-file "/var/named/data/named_stats.txt"; > memstatistics-file "/var/named/data/named_mem_stats.txt"; > allow-query { mynet; }; > recursion yes; > > forward only; > forwarders { > 8.8.8.8; > }; > > dnssec-enable yes; > dnssec-validation yes; > dnssec-lookaside auto; > > /* Path to ISC DLV key */ > bindkeys-file "/etc/named.iscdlv.key"; > > managed-keys-directory "/var/named/dynamic"; }; > >logging { > channel default_debug { > file "data/named.run"; > severity dynamic; > }; >}; > >zone "." IN { > type hint; > file "named.ca"; >}; > >include "/etc/named.rfc1912.zones"; >include "/etc/named.root.key"; > >############################################# ># home.lan >############################################# > >zone "home.lan" IN { > type master; > file "/var/named/home.lan/db.home"; > allow-query { > mynet; > }; > }; > >/var/named/home.lan/db.home >$ORIGIN home.lan. >$TTL 86400 >@ IN SOA proxy.home.lan. proxy.home.lan. ( > 2014032801 ; Serial > 28800 ; Refresh > 7200 ; Retry > 604800 ; Expire > 86400 ; Negative Cache TTL > ) >@ IN NS proxy.home.lan. >proxy IN A 192.168.186.250 > > >14. Install NTP on this server to sync time properly > >15. Configure Windows XP client (fully updated ) to use 192.168.201.250 >as default gateway and as DNS 16. Ping proxy.home.lan it resolves, ping >www.google.com it resolves 17. www.google.com I get a warning that the >certificate is not trusted (but only with firefox) do I want to >install, I can check certificate It is correctly issued by >proxy.home.lan for www.google.com . >18. Install ca.crt into clients root trusted certificates 19. behold >error (and be very frustrated) : Peer's certificate has an invalid >signature > >I tried to re-do my steps, I tried multiple howto's (some were >outdated) I've tried the irc for squid, but no help. What did I overlook here? >Why is this not working ? > >Oh iptables on server is > >iptables -t nat -A PREROUTING -p tcp -s 192.168.201.0/24 --dport 80 -j >DNAT --to 192.168.201.250:3128 iptables -t nat -A PREROUTING -p tcp -s >192.168.201.0/24 --dport 443 -j DNAT --to 192.168.201.250:3129 > >There is no error in log file , I have checked certificates are >generated for the sites I visit in /var/lib/ssl_db For example >www.grc.com get's a generated certificate even though I am not able to >access it. >Only firefox was friendly enough to provide this error above, Internet >explorer does not display anything at all, regardless if certificate Is >installed on client or not. (guess they went 100% sure this time with >certificates to disallow by default) > >Thank you for reading this, and please help if you can. > >Greetings >Robert > > > > > > > > > >
