I am in the process of upgrading our Squid proxy server from 3.1 (on RHEL6) to 3.3 (on RHEL7). It is configured as a explicit (not transparent) proxy that listens on port 3128. Clients are explicitly configured to use the proxy.
On the 3.3 system with the same squid.conf as the 3.1 system (I have made changes to fix warnings), the system is able to proxy internal (*.ncsu.edu) http traffic and https traffic. Anything https outside the ncsu.edu domain fails.
The system (which does not use caching) was configured to log https transactions as such :
1565183014.309 230 127.0.0.1 TCP_MISS/200 62539 CONNECT entrepreneurship.ncsu.edu:443 - DIRECT/152.1.227.116 -
which requires SSL Bumping (I believe), though there is no reference in the current configs to the use of SSL bumping .
I used curl to test the new proxy. When I attempt to proxy an external https connection, this is the result :
$ curl --proxy http://127.0.0.1:3128 https://www.google.com
curl: (56) Received HTTP code 503 from proxy after CONNECT
Proxying internal (ncsu.edu) connections this way is working correctly for http and https
When I change my squid.conf from :
http_port 3128
to
http_port 3128 ssl-bump \
cert=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
I now get the following error
The certs on the new server are newer, but otherwise appear to be correct.
On the 3.3 system with the same squid.conf as the 3.1 system (I have made changes to fix warnings), the system is able to proxy internal (*.ncsu.edu) http traffic and https traffic. Anything https outside the ncsu.edu domain fails.
The system (which does not use caching) was configured to log https transactions as such :
1565183014.309 230 127.0.0.1 TCP_MISS/200 62539 CONNECT entrepreneurship.ncsu.edu:443 - DIRECT/152.1.227.116 -
which requires SSL Bumping (I believe), though there is no reference in the current configs to the use of SSL bumping .
I used curl to test the new proxy. When I attempt to proxy an external https connection, this is the result :
$ curl --proxy http://127.0.0.1:3128 https://www.google.com
curl: (56) Received HTTP code 503 from proxy after CONNECT
Proxying internal (ncsu.edu) connections this way is working correctly for http and https
When I change my squid.conf from :
http_port 3128
to
http_port 3128 ssl-bump \
cert=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
I now get the following error
squid[5796]: FATAL: No valid signing SSL certificate configured for HTTP_port [::]:3128
The certs on the new server are newer, but otherwise appear to be correct.
Are there changes in the SSL bump config between 3.1 and 3.3 that would cause this kind of failure? Where should I be looking for the problem?
No previous experience with squid until this project. I've been doing much RTM (including the O'Reilly Squid book) searching online and debugging these past few days. Suggestions appreciated.
Thanks,
Tom
--
No previous experience with squid until this project. I've been doing much RTM (including the O'Reilly Squid book) searching online and debugging these past few days. Suggestions appreciated.
Thanks,
Tom
--
Thomas Karches
NCSU OIT CSI - Systems Specialist
NCSU OIT CSI - Systems Specialist
M.E Student - STEM Education
Hillsborough 319 / 919.515.5508
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
