-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 5/10/2014 1:29 p.m., Robert Watson wrote: > using squid 3.4.8, compiled from source with ./configure flags > --enable-icap-client --enable-ssl --enable-ssl-crtd configured > iptables for transparent proxy (redirect 80 to 3128) and everything > works fine > > configured iptables for transparent proxy (redirect 443 to 3127) > but can't get transparent proxy for https to work my squid.conf > ... # Squid https port https_port 3127 intercept ssl-bump > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > cert=/etc/squid/ssl_cert/XXX.pem acl broken_sites dstdomain > .example.com ssl_bump none localhost ssl_bump none broken_sites > ssl_bump server-first all sslproxy_cert_error allow all > sslproxy_flags DONT_VERIFY_PEER sslcrtd_program > /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB > sslcrtd_children 32 startup=5 idle=1 > > when visiting google (or any other https site) chrome complains > NET::ERR_CERT_AUTHORITY_INVALID I tried using internet explorer as > admin and imported the self signed certificate but that hasn't > helped > > can anyone please with how to debug this thanks, Robert To debug you will need a packet capture with full packet bodies (tcpdump -s 0) of the TCP connection between browser and Squid, and the connection between Squid and server. Wireshark should be able to decrypt the TLS/SSL handshakes to see what differences or corruption is happening. FYI: When testing be sure to clear/empty the ssl_crtd database if any changes are made to CA keys. PS. Google with Chrome appear these days to be the champions of unbreakable TLS, their software is continually being updated to use/invent new TLS features that close loopholes in TLS design which allow ssl-bump to take place. What worked last month has no guarantee of working today, same again next month. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUMNrEAAoJELJo5wb/XPRj7QAIAMVZ5SOc+X8vWlMdbgyNhNJR k//TmLRMdwZ1qxFBHTF3t+I7JVua2b+DDp0fU6Ubq6WvoARNBQGPQdI0XfOtrnLQ 3lsBCkU8NZuXt2LeoKG6eNPaNyuhom7HeFzmwELgM4SuASxbO4mpBxET8Tg1XYwQ VdSruqwx0hwhb5g4yeXWEIflkILc1A5cTAAbNGXIHpWbqMmwvnav5KWCfDhesHEU CdxuyZJnUZwv/uRYSaiiYebUECTS/Zl8JkGvCXe5zheLwT2Wcor3urUXIK3gPToz dy8FJ7lRGSSIJNkiQO4iNwI28vYkJHP2u3yFMFOdu4r/jN7WRgaY2LSpaQF+pqc= =teuE -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
