Forgot some extra infomation: squid build info: --- Squid Cache: Version 3.5.5 Service Name: squid configure options: '--prefix=/usr' '--sbindir=/usr/bin' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--with-logdir=/var/log/squid' '--with-pidfile=/run/squid.pid' '--enable-auth' '--enable-auth-basic' '--enable-auth-ntlm' '--enable-auth-digest' '--enable-auth-negotiate' '--enable-removal-policies=lru,heap' '--enable-storeio=aufs,ufs,diskd' '--enable-delay-pools' '--with-openssl=/usr' '--enable-snmp' '--enable-linux-netfilter' '--enable-ident-lookups' '--enable-useragent-log' '--enable-cache-digests' '--enable-referer-log' '--enable-htcp' '--enable-carp' '--enable-epoll' '--with-large-files' '--enable-arp-acl' '--with-default-user=proxy' '--enable-async-io' '--enable-truncate' '--enable-icap-client' '--enable-ssl-crtd' '--disable-arch-native' '--disable-strict-error-checking' '--enable-wccpv2' 'CFLAGS=-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4' 'LDFLAGS=-Wl,-O1,--sort-common,--as-needed,-z,relro' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4' --- Also, If I disable "ssl_bump" at http_port line, squid works without any problem just as a forwarder. But that makes no sense anyway. Thanks 2015-07-06 17:22 GMT+08:00 adam900710 <adam900710@xxxxxxxxx>: > Hi all, > > I tried to build a ssl bumping proxy with up level proxy, but client > failed to connect like the following. > > The error: > --- > $ curl https://www.google.co.jp -vvvv -k > * Rebuilt URL to: https://www.google.co.jp/ > * Trying ::1... > * Connected to localhost (::1) port 3128 (#0) > * Establish HTTP proxy tunnel to www.google.co.jp:443 >> CONNECT www.google.co.jp:443 HTTP/1.1 >> Host: www.google.co.jp:443 >> User-Agent: curl/7.43.0 >> Proxy-Connection: Keep-Alive >> > < HTTP/1.1 200 Connection established > < > * Proxy replied OK to CONNECT request > * ALPN, offering http/1.1 > * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH > * successfully set certificate verify locations: > * CAfile: /etc/ssl/certs/ca-certificates.crt > CApath: none > * TLSv1.2 (OUT), TLS header, Certificate Status (22): > * TLSv1.2 (OUT), TLS handshake, Client hello (1): > * Unknown SSL protocol error in connection to www.google.co.jp:443 > * Closing connection 0 > curl: (35) Unknown SSL protocol error in connection to www.google.co.jp:443 > --- > > My squid.conf: > --- > # default acls/configs are ignored > cache_peer 127.0.0.1 parent 8118 0 default no-digest proxy-only > never_direct allow all > ssl_bump peek all > ssl_bump bump all > http_port 3128 ssl-bump \ > cert=/etc/squid/ssl/ca.crt \ > key=/etc/squid/ssl/ca.key \ > generate-host-certificates=on \ > dynamic_cert_mem_cache_size=4MB > --- > > From the cache_peer port, someone may notice that I'm using privoxy. > That's right, as I need to redirect the ssl traffic to SOCKS5 proxy, > or I can't ever access some sites. > > Here is some of my experiments: > 1) Remove "never_direct" > Then ssl_bump works as expected, but all traffic doesn't goes through > the SOCKS5 proxy. So a lot of sites I can't access. > > 2) Use local 8118 proxy > That works fine without any problem, but SSL_dump is needed... > So just prove privoxy are working. > > Any clue? > > Thanks _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
