Re: [squid-users] Cannot access SSL pages on Squid 3.4

Thu, 06 Mar 2014 13:47:11 -0800 

On 2014-03-07 02:47, Filipe_A. wrote:

I´m new at Squid and I´m having some difficulties on configure squid to
access SSL pages. I goggled about it a create a certificate and signed it, but I cannot access any page, I only get message warning and when I click on 
proceed anyway I get an squid block message.
I´m using a virtual lab that has two VMs. One with squid and two network interfaces, one with NAT and another IP of a virtual LAN, in this VM I use shorewall and it is configured to redirect Internet from th0 to eth1, and the packages arrived on port 80 are redirect to 3128 and port 443 to 3130. 
The other VM has Win XP installed only to test the squid configuration.

Above is my squid.conf file.
http_port 3128 transparent
"squid -k parse" will tell you the option is called "intercept" now. Transparency is something different. 



https_port 3130 ssl­bump cert=/usr/etc/squid.pem key=/usr/etc/squid.pem
generate­host­

certificates=on options=NO_SSLv2 dynamic_cert_mem_cache_size=4MB


Missing the intercept option here.

Also, "squid -k parse" will tell you the option is called "ssl-bump".
acl localnet src 192.168.56.0/24 # RFC1918 possible internal 
network

## avoid proxy­chaining

always_direct allow all

## Always complete the server­side handshake before client­side

ssl_bump server­first all
Also, "squid -k parse" will tell you the option does not exist. It looks like you are wanting the option "server-first". 



## Allow server side certificate erros such untrusted certificates

sslproxy_cert_error allow all

## Or maybe deny all server side certificates errors

#sslproxy_cert_error deny all

## Accept certificates that fail verification

sslproxy_flags DONT_VERIFY_PEER



Try to avoid this violation of TLS.
The server-first feature makes it mostly unnecessary now.

<snip>


At the configuration of the squid I set this parameters
./configure --prefix=/usr --enable-shared --enable-icmp --enable-delay-polls 
--enable-sll --enable-ssl --enable-ssl-crtd --enable-linux-netfilter
--enable-auth --enable-basic-auth-helpers=NCSA,LDAP,SMB

Thanks in advace for the help,
F.A.




Amos

Reply via email to