Hello list, The last sentence for generate-host-certificates[=<on|off>] option paragraph states: This option is enabled by default when ssl-bump is used. See the ssl-bump option above for more information. But a client can't negotiate secure connection and times out when the option is not specified explicitly. For example, with following config I get negotiation timeout: # diff etc/squid.conf.default etc/squid.conf 59c59 < http_port 3128 --- > http_port 3128 ssl-bump cert=/usr/local/squid35/etc/ssl_cert/myCA.pem 73a74,76 > acl step1 at_step SslBump1 > ssl_bump peek step1 > ssl_bump bump all ----- $ https_proxy="127.0.0.1:3128" curl -v -k https://ya.ru/ > /dev/null * Trying 127.0.0.1... * TCP_NODELAY set % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:- - 0* Connected to 127.0.0.1 (127.0.0.1) port 3128 (#0) * Establish HTTP proxy tunnel to ya.ru:443 > CONNECT ya.ru:443 HTTP/1.1 > Host: ya.ru:443 > User-Agent: curl/7.50.3 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established < * Proxy replied OK to CONNECT request * Initializing NSS with certpath: none 0 0 0 0 0 0 0 0 --:--:-- 0:00:59 --:--:- - 0* NSS error -5938 (PR_END_OF_FILE_ERROR) * Encountered end of file * Curl_http_done: called premature == 1 0 0 0 0 0 0 0 0 --:--:-- 0:01:00 --:--:- - 0 * Closing connection 0 curl: (35) Encountered end of file No problems, if the option specified explicitly: # diff etc/squid.conf.default etc/squid.conf 59c59,61 < http_port 3128 --- > http_port 3128 ssl-bump \ > cert=/usr/local/squid35/etc/ssl_cert/myCA.pem \ > generate-host-certificates 73a76,78 > acl step1 at_step SslBump1 > ssl_bump peek step1 > ssl_bump bump all Is it a bug, documentation error or I simply missed something? Thanks. Garri _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
