Squid to listen to HTTPS

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid to listen to HTTPS

avi_h
Hi,

I'm trying to get squid to listen to HTTPS in order to encrypt the traffic between the proxy and the user.
I'm running squid 3.5.19 and squid is compiled with the --with-openssl option which is required for https_port directive.
In order to accomplish that I used the following configuration:

https_port 3129 cert=/etc/squid/certificate.pem key=/etc/squid/privatekey.pem

However, when I try to connect from the browser using port 3129 I get a connection refused.
When runnig squid in debug mode I got the following in cache.log:

2017/05/14 21:10:19.854 kid1| 83,2| client_side.cc(3743) Squid_SSL_accept: Error negotiating SSL connection on FD 7: error:00000005:lib(0):func(0):DH lib

Please help me understand the reason.
Thanks.
Reply | Threaded
Open this post in threaded view
|

Re: Squid to listen to HTTPS

Alex Rousskov
On 05/14/2017 03:49 PM, avi_h wrote:

> I'm trying to get squid to listen to HTTPS in order to encrypt the traffic
> between the proxy and the user.

> https_port 3129 cert=/etc/squid/certificate.pem key=/etc/squid/privatekey.pem


> However, when I try to connect from the browser using port 3129 I get a
> connection refused.
> When runnig squid in debug mode I got the following in cache.log:
>
> 2017/05/14 21:10:19.854 kid1| 83,2| client_side.cc(3743) Squid_SSL_accept:
> Error negotiating SSL connection on FD 7: error:00000005:lib(0):func(0):DH
> lib


FYI: The "connection refused" browser error does not seem to match
"Error negotiating SSL connection" Squid error, but perhaps it is just
your browser being a little misleading.


> Please help me understand the reason.

You have configured Squid to be an HTTPS proxy.

Did you configure your browser to use an HTTP proxy instead of an HTTPS
proxy? Some browsers support HTTPS proxies, but it is tricky to enable
that support so I have to ask. HTTP proxies expect plain HTTP requests.
HTTPS proxies expect encrypted HTTP requests.

If you are still having trouble, it may be useful to attach
browser-Squid packet capture when reproducing the problem with
http://www.example.com/ or a similar "trivial" site.

Alex.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid to listen to HTTPS

avi_h
Hi Alex,

I figured out the issue was with the browser after consulting with a colleague.
I couldn't find any browser add-on that works in order to test this so I had a tester built just for that.
With the tester I was able to use the HTTPS proxy with no issues.
Thanks for your reply.

Regards,
Avi
Reply | Threaded
Open this post in threaded view
|

Re: Squid to listen to HTTPS

Alex Rousskov
On 05/15/2017 01:56 PM, avi_h wrote:

> I couldn't find any browser add-on that works in order to test this so I had
> a tester built just for that.

FYI: Modern Curl releases support HTTPS proxies. Some popular browsers
support them too (without any add-ons!), but you need PAC files or other
tricks to configure that browser feature properly.

Alex.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid to listen to HTTPS

avi_h
Hi Alex,

Thanks for the info.
I updated Curl to a newer version that supports HTTPS and managed to access the SSL proxy.
Much appreciated.

Regards,
Avi