Search squid archive

Re: Certificate error using using squid with tproxy configuration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



By the help of God

Update the squid.conf:
http_port 0.0.0.0:3128
http_port 0.0.0.0:3129 tproxy
http_port 0.0.0.0:3130 tproxy ssl-bump \
  cert=/usr/local/squid/etc/ssl_cert/myCA.pem \
  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

# For squid 4.x
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB

acl step1 at_step SslBump1

ssl_bump peek step1
ssl_bump bump all

Still the same issue.

‫בתאריך יום ה׳, 15 ביוני 2023 ב-14:31 מאת ‪Ben Goz‬‏ <‪ben.goz87@xxxxxxxxx‬‏>:‬
By the help of God.

Hi,
I'm using squid with tproxy including https interception configuration.

The squid version is:
$ /usr/local/squid/sbin/squid -v
Squid Cache: Version 7.0.0-VCS
Service Name: squid

This binary uses OpenSSL 3.0.2 15 Mar 2022. configure options:  '--with-openssl' '--enable-ssl' '--enable-ssl-crtd' '--enable-icap-client' '--enable-linux-netfilter'


And the tproxy configuration works perfectly using http without ssl,
But using ssl I'm getting in browser ssl error "ERR_SSL_PROTOCOL_ERROR"
And using curl I get the following output:

$ curl -iv https://www.google.com --cert ~/myCA.der
*   Trying 172.217.22.68:443...
* Connected to www.google.com (172.217.22.68) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* could not load PEM client certificate, OpenSSL error error:0480006C:PEM routines::no start line, (no key found, wrong pass phrase, or wrong file format?)
* Closing connection 0
curl: (58) could not load PEM client certificate, OpenSSL error error:0480006C:PEM routines::no start line, (no key found, wrong pass phrase, or wrong file format?)

Squid's configuration:
http_port 0.0.0.0:3130 tproxy ssl-bump \
  cert=/usr/local/squid/etc/ssl_cert/myCA.der \
  key=/usr/local/squid/etc/ssl_cert/myCA.pem \
  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

iptables rule:
$ sudo iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        
DIVERT     tcp  --  anywhere             anywhere             socket
TPROXY     tcp  --  anywhere             anywhere             tcp dpt:http TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1
TPROXY     tcp  --  anywhere             anywhere             tcp dpt:https TPROXY redirect 0.0.0.0:3130 mark 0x1/0x1

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination        

Chain DIVERT (1 references)
target     prot opt source               destination        
MARK       all  --  anywhere             anywhere             MARK set 0x1
ACCEPT     all  --  anywhere             anywhere

Did I miss something?

Thanks,
Ben


 
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux