By the help of God. Hi, I'm using squid with tproxy including https interception configuration.
The squid version is: $ /usr/local/squid/sbin/squid -v Squid Cache: Version 7.0.0-VCS Service Name: squid This binary uses OpenSSL 3.0.2 15 Mar 2022. configure options: '--with-openssl' '--enable-ssl' '--enable-ssl-crtd' '--enable-icap-client' '--enable-linux-netfilter' And the tproxy configuration works perfectly using http without ssl, But using ssl I'm getting in browser ssl error "ERR_SSL_PROTOCOL_ERROR" And using curl I get the following output: $ curl -iv https://www.google.com --cert ~/myCA.der * Trying 172.217.22.68:443... * Connected to www.google.com (172.217.22.68) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * could not load PEM client certificate, OpenSSL error error:0480006C:PEM routines::no start line, (no key found, wrong pass phrase, or wrong file format?) * Closing connection 0 curl: (58) could not load PEM client certificate, OpenSSL error error:0480006C:PEM routines::no start line, (no key found, wrong pass phrase, or wrong file format?) Squid's configuration: http_port 0.0.0.0:3130 tproxy ssl-bump \ cert=/usr/local/squid/etc/ssl_cert/myCA.der \ key=/usr/local/squid/etc/ssl_cert/myCA.pem \ generate-host-certificates=on dynamic_cert_mem_cache_size=4MB iptables rule: $ sudo iptables -t mangle -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DIVERT tcp -- anywhere anywhere socket TPROXY tcp -- anywhere anywhere tcp dpt:http TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1 TPROXY tcp -- anywhere anywhere tcp dpt:https TPROXY redirect 0.0.0.0:3130 mark 0x1/0x1 Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain DIVERT (1 references) target prot opt source destination MARK all -- anywhere anywhere MARK set 0x1 ACCEPT all -- anywhere anywhere Did I miss something? Thanks, Ben
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users