By the help of God.
Hi,
I'm using squid with tproxy including https interception configuration.
The squid version is:
$ /usr/local/squid/sbin/squid -v
Squid Cache: Version 7.0.0-VCS
Service Name: squid
This binary uses OpenSSL 3.0.2 15 Mar 2022. configure options: '--with-openssl' '--enable-ssl' '--enable-ssl-crtd' '--enable-icap-client' '--enable-linux-netfilter'
Squid Cache: Version 7.0.0-VCS
Service Name: squid
This binary uses OpenSSL 3.0.2 15 Mar 2022. configure options: '--with-openssl' '--enable-ssl' '--enable-ssl-crtd' '--enable-icap-client' '--enable-linux-netfilter'
And the tproxy configuration works perfectly using http without ssl,
But using ssl I'm getting in browser ssl error "ERR_SSL_PROTOCOL_ERROR"
And using curl I get the following output:
$ curl -iv https://www.google.com --cert ~/myCA.der
* Trying 172.217.22.68:443...
* Connected to www.google.com (172.217.22.68) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* could not load PEM client certificate, OpenSSL error error:0480006C:PEM routines::no start line, (no key found, wrong pass phrase, or wrong file format?)
* Closing connection 0
curl: (58) could not load PEM client certificate, OpenSSL error error:0480006C:PEM routines::no start line, (no key found, wrong pass phrase, or wrong file format?)
* Trying 172.217.22.68:443...
* Connected to www.google.com (172.217.22.68) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* could not load PEM client certificate, OpenSSL error error:0480006C:PEM routines::no start line, (no key found, wrong pass phrase, or wrong file format?)
* Closing connection 0
curl: (58) could not load PEM client certificate, OpenSSL error error:0480006C:PEM routines::no start line, (no key found, wrong pass phrase, or wrong file format?)
Squid's configuration:
http_port 0.0.0.0:3130 tproxy ssl-bump \
cert=/usr/local/squid/etc/ssl_cert/myCA.der \
key=/usr/local/squid/etc/ssl_cert/myCA.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/usr/local/squid/etc/ssl_cert/myCA.der \
key=/usr/local/squid/etc/ssl_cert/myCA.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
iptables rule:
$ sudo iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DIVERT tcp -- anywhere anywhere socket
TPROXY tcp -- anywhere anywhere tcp dpt:http TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1
TPROXY tcp -- anywhere anywhere tcp dpt:https TPROXY redirect 0.0.0.0:3130 mark 0x1/0x1
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain DIVERT (1 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK set 0x1
ACCEPT all -- anywhere anywhere
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DIVERT tcp -- anywhere anywhere socket
TPROXY tcp -- anywhere anywhere tcp dpt:http TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1
TPROXY tcp -- anywhere anywhere tcp dpt:https TPROXY redirect 0.0.0.0:3130 mark 0x1/0x1
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain DIVERT (1 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK set 0x1
ACCEPT all -- anywhere anywhere
Did I miss something?
Thanks,
Ben
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
