[squid-users] Re: icap and https

From: arielf <arielf_at_il.ibm.com>
Date: Tue, 1 Mar 2011 03:55:36 -0800 (PST)

Many thanks Amos,

I followed your advise, unfortunately I'm not there yet. This is what I did,
please see where I went wrong now.

I reconfigured squid to use ssl-bump, configured both http and https sites
in firefox foxyproxy to port 3128
in squid.conf I removed https section and added:
http_port 3128 ssl-bump key=/root/security/mykey.key.pem
cert=/root/security/mycert.crt.pem
ssl_bump allow all

it started ok, but failed again and I tried to access https site
2011/03/01 11:03:51| Accepting bumpy HTTP connections at [::]:3128, FD 15.
2011/03/01 11:03:51| HTCP Disabled.
2011/03/01 11:03:51| Squid modules loaded: 0
2011/03/01 11:03:51| Adaptation support is off.
2011/03/01 11:03:51| Ready to serve requests.
2011/03/01 11:03:52| storeLateRelease: released 0 objects
-----BEGIN SSL SESSION PARAMETERS-----
MHECAQECAgMBBAIANQQgOETLtr/8z9TaMvWhjyT6g3ZmAB87r+AjuOx7AmD8NvQE
MPMyqntXd1ZJwAebb4K+5KKX0f8vnMlQjjFo7kWuK1xJHQZnnu5YBONvcuyIbDj7
yKEGAgRNbRkcogQCAgEspAIEAA==
-----END SSL SESSION PARAMETERS-----
2011/03/01 11:04:44| SSL unknown certificate error 20 in
/C=IL/ST=NA/L=Haifa/O=IBM/OU=HRL/CN=Magen
2011/03/01 11:04:44| fwdNegotiateSSL: Error negotiating SSL connection on FD
13: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed (1/-1/0)

after reading other posts with a similar error I added:
http_port 3128 ssl-bump key=/root/security/mykey.key.pem
cert=/root/security/mycert.crt.pem clientca=/root/security/myCertCA.crt.pem

Again it started ok, but failed on a different error trying to proxy an
https site:

2011/03/01 11:10:31| Accepting bumpy HTTP connections at [::]:3128, FD 15.
2011/03/01 11:10:31| HTCP Disabled.
2011/03/01 11:10:31| Squid modules loaded: 0
2011/03/01 11:10:31| Adaptation support is off.
2011/03/01 11:10:31| Ready to serve requests.
2011/03/01 11:10:32| storeLateRelease: released 0 objects
2011/03/01 11:11:08| clientNegotiateSSL: Error negotiating SSL connection on
FD 12: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
return a certificate (1/-1)

again, please help, what did I do wrong now?
Many thanks, Ariel.

-- 
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/icap-and-https-tp3329449p3329673.html
Sent from the Squid - Users mailing list archive at Nabble.com.
Received on Tue Mar 01 2011 - 11:55:40 MST

This archive was generated by hypermail 2.2.0 : Sun Mar 13 2011 - 12:00:02 MDT