By the help of God
Update the squid.conf:
http_port 0.0.0.0:3128
http_port 0.0.0.0:3129 tproxy
http_port 0.0.0.0:3130 tproxy ssl-bump \
cert=/usr/local/squid/etc/ssl_cert/myCA.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
# For squid 4.x
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
http_port 0.0.0.0:3129 tproxy
http_port 0.0.0.0:3130 tproxy ssl-bump \
cert=/usr/local/squid/etc/ssl_cert/myCA.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
# For squid 4.x
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
Still the same issue.
בתאריך יום ה׳, 15 ביוני 2023 ב-14:31 מאת Ben Goz <ben.goz87@xxxxxxxxx>:
By the help of God.Hi,I'm using squid with tproxy including https interception configuration.The squid version is:$ /usr/local/squid/sbin/squid -v
Squid Cache: Version 7.0.0-VCS
Service Name: squid
This binary uses OpenSSL 3.0.2 15 Mar 2022. configure options: '--with-openssl' '--enable-ssl' '--enable-ssl-crtd' '--enable-icap-client' '--enable-linux-netfilter'And the tproxy configuration works perfectly using http without ssl,But using ssl I'm getting in browser ssl error "ERR_SSL_PROTOCOL_ERROR"And using curl I get the following output:$ curl -iv https://www.google.com --cert ~/myCA.der
* Trying 172.217.22.68:443...
* Connected to www.google.com (172.217.22.68) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* could not load PEM client certificate, OpenSSL error error:0480006C:PEM routines::no start line, (no key found, wrong pass phrase, or wrong file format?)
* Closing connection 0
curl: (58) could not load PEM client certificate, OpenSSL error error:0480006C:PEM routines::no start line, (no key found, wrong pass phrase, or wrong file format?)Squid's configuration:http_port 0.0.0.0:3130 tproxy ssl-bump \
cert=/usr/local/squid/etc/ssl_cert/myCA.der \
key=/usr/local/squid/etc/ssl_cert/myCA.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MBiptables rule:$ sudo iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DIVERT tcp -- anywhere anywhere socket
TPROXY tcp -- anywhere anywhere tcp dpt:http TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1
TPROXY tcp -- anywhere anywhere tcp dpt:https TPROXY redirect 0.0.0.0:3130 mark 0x1/0x1
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain DIVERT (1 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK set 0x1
ACCEPT all -- anywhere anywhereDid I miss something?Thanks,Ben
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
