>That is saying the "ssl-bump" flag requires "intercept" on that port >directive. > >SSL-Bump is intercepting the TLS layer. It makes no sense for a client >to explicitly open TCP connections to Squid when trying to perform TLS >with a different server elsewhere. but my proxy's purpose is to do the 'SSL-BUMP', with my config: ssl_bump peek step1 ssl_bump stare step2 ssl_bump bump all acl SSL_ports port 443 acl CONNECT method CONNECT http_port 3128 http_port 3129 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB options=SINGLE_DH_USE:SINGLE_ECDH_USE tls-dh=prime256v1:/usr/local/squid/etc/dhparams.pem the ssl-bump through this proxy seems to work. am i doing this incorrectly? > >> Or is there a way to listern to the https_port with explicit proxy? > >There is. Remove the ssl-bump stuff from that https_port line. Configure >it with a regular server cert and key. What you have then is an >"explicit TLS proxy" - a proxy clients need to use TLS to communicate with. if I change the above configure to (still want to do ssl-bump operation): http_port 3128 https_port 3129 cert=/usr/local/squid/etc/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB options=SINGLE_DH_USE:SINGLE_ECDH_USE tls-dh=prime256v1:/usr/local/squid/etc/dhparams.pem then the wget can not get through this proxy: $ export https_proxy=192.168.1.35:3129 wget https://www.cnn.com --2019-12-23 14:34:22-- https://www.cnn.com/ Connecting to 192.168.1.35:3129... connected. Failed reading proxy response: Connection reset by peer Retrying. did I configure it wrong? thanks. - George -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
