Many thanks Amos,
I followed your advise, unfortunately I'm not there yet. This is what I did,
please see where I went wrong now.
I reconfigured squid to use ssl-bump, configured both http and https sites
in firefox foxyproxy to port 3128
in squid.conf I removed https section and added:
http_port 3128 ssl-bump key=/root/security/mykey.key.pem
cert=/root/security/mycert.crt.pem
ssl_bump allow all
it started ok, but failed again and I tried to access https site
2011/03/01 11:03:51| Accepting bumpy HTTP connections at [::]:3128, FD 15.
2011/03/01 11:03:51| HTCP Disabled.
2011/03/01 11:03:51| Squid modules loaded: 0
2011/03/01 11:03:51| Adaptation support is off.
2011/03/01 11:03:51| Ready to serve requests.
2011/03/01 11:03:52| storeLateRelease: released 0 objects
-----BEGIN SSL SESSION PARAMETERS-----
MHECAQECAgMBBAIANQQgOETLtr/8z9TaMvWhjyT6g3ZmAB87r+AjuOx7AmD8NvQE
MPMyqntXd1ZJwAebb4K+5KKX0f8vnMlQjjFo7kWuK1xJHQZnnu5YBONvcuyIbDj7
yKEGAgRNbRkcogQCAgEspAIEAA==
-----END SSL SESSION PARAMETERS-----
2011/03/01 11:04:44| SSL unknown certificate error 20 in
/C=IL/ST=NA/L=Haifa/O=IBM/OU=HRL/CN=Magen
2011/03/01 11:04:44| fwdNegotiateSSL: Error negotiating SSL connection on FD
13: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed (1/-1/0)
after reading other posts with a similar error I added:
http_port 3128 ssl-bump key=/root/security/mykey.key.pem
cert=/root/security/mycert.crt.pem clientca=/root/security/myCertCA.crt.pem
Again it started ok, but failed on a different error trying to proxy an
https site:
2011/03/01 11:10:31| Accepting bumpy HTTP connections at [::]:3128, FD 15.
2011/03/01 11:10:31| HTCP Disabled.
2011/03/01 11:10:31| Squid modules loaded: 0
2011/03/01 11:10:31| Adaptation support is off.
2011/03/01 11:10:31| Ready to serve requests.
2011/03/01 11:10:32| storeLateRelease: released 0 objects
2011/03/01 11:11:08| clientNegotiateSSL: Error negotiating SSL connection on
FD 12: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
return a certificate (1/-1)
again, please help, what did I do wrong now?
Many thanks, Ariel.
-- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/icap-and-https-tp3329449p3329673.html Sent from the Squid - Users mailing list archive at Nabble.com.Received on Tue Mar 01 2011 - 11:55:40 MST
This archive was generated by hypermail 2.2.0 : Sun Mar 13 2011 - 12:00:02 MDT