On 23/12/19 7:26 pm, GeorgeShen wrote: >> this is http port, speaking http. This is not a https port, so you can't >> speak https to it. The difference between 3128 and 3129 is, when you issue >> CONNECT request to 3129, squid tries to communicate using SSL as if it was >> the destination server (or, whatever you configure in ssl_bump options). > >> if you want to talk to squid on port 443, you must configure https_port. > > because I'm doing the explicit proxy for https on this proxy server. if I > configure > "https_port 3129 ssl-bump ...", That is port 3129, not port 443. > then I get this error when doing the https > proxy: > > 2019/12/22 22:07:15| FATAL: ssl-bump on https_port requires tproxy/intercept > which is missing. > > so this to me means, i can only configure https_port if I'm using the > intercept method, which I'm not. That is saying the "ssl-bump" flag requires "intercept" on that port directive. SSL-Bump is intercepting the TLS layer. It makes no sense for a client to explicitly open TCP connections to Squid when trying to perform TLS with a different server elsewhere. > Or is there a way to listern to the https_port with explicit proxy? There is. Remove the ssl-bump stuff from that https_port line. Configure it with a regular server cert and key. What you have then is an "explicit TLS proxy" - a proxy clients need to use TLS to communicate with. > >>> BTW, the https/TLS bump through this server works. when using the openssl >>> s_client, get this result, >>> (it says "no peer certificate available"): > >> this looks to me more like failure of setting up SSL protocol. >> I really wonder something SSL related works at all. >> you should check with: >> >> openssl s_client -proxy 192.168.1.35:3129 -connect <host:port> -showcerts >> >> on both squid ports to see the difference. > > The above command works for me, but I only get the certs from the real host, > not the proxy server itself. You seem(ed) to be in some confusion about what "the certs" actually are. See my earlier response about that output. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
