Search squid archive

Re: Is there a way on client to show proxy's certificate?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



how is port 3129 defined in squid.conf?

On 21.12.19 13:34, GeorgeShen wrote:
ssl_bump peek step1
ssl_bump stare step2
ssl_bump bump all
http_port 3128
http_port 3129 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
options=SINGLE_DH_USE:SINGLE_ECDH_USE
tls-dh=prime256v1:/usr/local/squid/etc/dhparams.pem

this is http port, speaking http.  This is not a https port, so you can't
speak https to it.  The difference between 3128 and 3129 is, when you issue
CONNECT request to 3129, squid tries to communicate using SSL as if it was
the destination server (or, whatever you configure in ssl_bump options).

if you want to talk to squid on port 443, you must configure https_port.

BTW, the https/TLS bump through this server works. when using the openssl
s_client, get this result,
(it says "no peer certificate available"):

this looks to me more like failure of setting up SSL protocol.
I really wonder something SSL related works  at all.

you should check with:

openssl s_client -proxy 192.168.1.35:3129 -connect <host:port> -showcerts

on both squid ports to see the difference.


$ openssl s_client -connect 192.168.1.35:3129 -showcerts
CONNECTED(00000003)
4659451500:error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version
number:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/ssl/ssl_pkt.c:386:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
   Protocol  : TLSv1.2
   Cipher    : 0000
   Session-ID:
   Session-ID-ctx:
   Master-Key:
   Start Time: 1576955529
   Timeout   : 7200 (sec)
   Verify return code: 0 (ok)
---



and if I run this openssl s_client on the proxy itself (should use the same
version of openssl):

$ openssl s_client -connect 127.0.0.1:3129 -showcerts
CONNECTED(00000003)
140248349009560:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:827:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 311 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
   Protocol  : TLSv1.2
   Cipher    : 0000
   Session-ID:
   Session-ID-ctx:
   Master-Key:
   Key-Arg   : None
   PSK identity: None
   PSK identity hint: None
   SRP username: None
   Start Time: 1576956256
   Timeout   : 300 (sec)
   Verify return code: 0 (ok)
---






--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

--
Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux