[squid-users] Re: Hotmail issue in squid 3.4.4

From: vin_krish <vin.krish25_at_gmail.com>
Date: Thu, 22 May 2014 03:56:05 -0700 (PDT)

Hi Amos ,

             I have NAT'ed tcp port 80 and 443 to 3128 and 3129 as below:

iptables -t nat -A PREROUTING -i eth1 -s 10.0.0.0/24 -p tcp -m tcp -m
multiport --dports 80 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -i eth1 -s 10.0.0.0/24 -p tcp -m tcp -m
multiport --dports 443 -j REDIRECT --to-ports 3129

and configured squid port as:

# HTTP browser explicit proxy config
http_port 8080

# HTTP port 80 NAT'ed
http_port 3128 intercept ssl-bump
  generate-host-certificates=on
  dynamic_cert_mem_cache_size=4MB
  cert=cert.crt key=cert.key
  options=...

# HTTPS port 443 NAT'ed
https_port 3129 intercept ssl-bump
  generate-host-certificates=on
  dynamic_cert_mem_cache_size=4MB
  cert=cert.crt key=cert.key
  options=...

as I'm running squid in transparent mode and used ssl-bump server-first
option. I have imported my certificate in the Firefox browser. I want to
allow all SSL/TLS version,
so I have mentioned as "options=" in port configuration as mentioned in docs
options= Various SSL implementation options. The most important
                        being:
                            NO_SSLv2 Disallow the use of SSLv2
                            NO_SSLv3 Disallow the use of SSLv3
                            NO_TLSv1 Disallow the use of TLSv1.0
                            NO_TLSv1_1 Disallow the use of TLSv1.1
                            NO_TLSv1_2 Disallow the use of TLSv1.2
                            SINGLE_DH_USE Always create a new key when using
                                      temporary/ephemeral DH key exchanges
                            ALL Enable various bug workarounds
                                      suggested as "harmless" by OpenSSL
                                      Be warned that this reduces SSL/TLS
                                      strength to some attacks.
                        See OpenSSL SSL_CTX_set_options documentation for a
                        complete list of options.
I tried with "options=ALL" and without "options=" . But still "protocol
error" exist when I go for 'http://www.hotmail.com'.

Am I missing something..?

Thanks for replying,

krish

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Hotmail-issue-in-squid-3-4-4-tp4666020p4666068.html
Sent from the Squid - Users mailing list archive at Nabble.com.
Received on Thu May 22 2014 - 10:56:54 MDT

This archive was generated by hypermail 2.2.0 : Thu May 22 2014 - 12:00:06 MDT