By the help of God Update the squid.conf: http_port 0.0.0.0:3128 http_port 0.0.0.0:3129 tproxy http_port 0.0.0.0:3130 tproxy ssl-bump \ cert=/usr/local/squid/etc/ssl_cert/myCA.pem \ generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
# For squid 4.x sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all Still the same issue. בתאריך יום ה׳, 15 ביוני 2023 ב-14:31 מאת Ben Goz <ben.go...@gmail.com >: > By the help of God. > > Hi, > I'm using squid with tproxy including https interception configuration. > > The squid version is: > $ /usr/local/squid/sbin/squid -v > Squid Cache: Version 7.0.0-VCS > Service Name: squid > > This binary uses OpenSSL 3.0.2 15 Mar 2022. configure options: > '--with-openssl' '--enable-ssl' '--enable-ssl-crtd' '--enable-icap-client' > '--enable-linux-netfilter' > > > And the tproxy configuration works perfectly using http without ssl, > But using ssl I'm getting in browser ssl error "ERR_SSL_PROTOCOL_ERROR" > And using curl I get the following output: > > $ curl -iv https://www.google.com --cert ~/myCA.der > * Trying 172.217.22.68:443... > * Connected to www.google.com (172.217.22.68) port 443 (#0) > * ALPN, offering h2 > * ALPN, offering http/1.1 > * could not load PEM client certificate, OpenSSL error error:0480006C:PEM > routines::no start line, (no key found, wrong pass phrase, or wrong file > format?) > * Closing connection 0 > curl: (58) could not load PEM client certificate, OpenSSL error > error:0480006C:PEM routines::no start line, (no key found, wrong pass > phrase, or wrong file format?) > > Squid's configuration: > http_port 0.0.0.0:3130 tproxy ssl-bump \ > cert=/usr/local/squid/etc/ssl_cert/myCA.der \ > key=/usr/local/squid/etc/ssl_cert/myCA.pem \ > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > > iptables rule: > $ sudo iptables -t mangle -L > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > DIVERT tcp -- anywhere anywhere socket > TPROXY tcp -- anywhere anywhere tcp dpt:http > TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1 > TPROXY tcp -- anywhere anywhere tcp > dpt:https TPROXY redirect 0.0.0.0:3130 mark 0x1/0x1 > > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > > Chain DIVERT (1 references) > target prot opt source destination > MARK all -- anywhere anywhere MARK set 0x1 > ACCEPT all -- anywhere anywhere > > Did I miss something? > > Thanks, > Ben > > > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users