how is port 3129 defined in squid.conf?
On 21.12.19 13:34, GeorgeShen wrote:
ssl_bump peek step1 ssl_bump stare step2 ssl_bump bump all http_port 3128 http_port 3129 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB options=SINGLE_DH_USE:SINGLE_ECDH_USE tls-dh=prime256v1:/usr/local/squid/etc/dhparams.pem
this is http port, speaking http. This is not a https port, so you can't speak https to it. The difference between 3128 and 3129 is, when you issue CONNECT request to 3129, squid tries to communicate using SSL as if it was the destination server (or, whatever you configure in ssl_bump options). if you want to talk to squid on port 443, you must configure https_port.
BTW, the https/TLS bump through this server works. when using the openssl s_client, get this result, (it says "no peer certificate available"):
this looks to me more like failure of setting up SSL protocol. I really wonder something SSL related works at all. you should check with: openssl s_client -proxy 192.168.1.35:3129 -connect <host:port> -showcerts on both squid ports to see the difference.
$ openssl s_client -connect 192.168.1.35:3129 -showcerts CONNECTED(00000003) 4659451500:error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/ssl/ssl_pkt.c:386: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 5 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Start Time: 1576955529 Timeout : 7200 (sec) Verify return code: 0 (ok) --- and if I run this openssl s_client on the proxy itself (should use the same version of openssl): $ openssl s_client -connect 127.0.0.1:3129 -showcerts CONNECTED(00000003) 140248349009560:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:827: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 311 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1576956256 Timeout : 300 (sec) Verify return code: 0 (ok) --- -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
-- Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. (R)etry, (A)bort, (C)ancer _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
