https not working

Question

https not working

squidoman opened this issue 8 years ago · 7 comments

Hi there; I can't cache https, I've been able to cache http only (pictures of bing gallery or complete pages of squid-cache.org for example), but when I try to cache https I get "The proxy server insn't responding" answer. When I try to fix the connection problem I get "The remote device or resource won't accept the connection". If I remove the ssl-bump mode and their options, everything works ok. The issue #53 has the same problem that mine, but it doesn't get clear to me how to solve it. My .pem files are the ones Diladele built, do I have to make my owns? There is the option "tls-dh" which points to a dhparams.pem file from where I copied the lines; I don't have that file, I have cert.pem and this is the one I point. Is that ok? My config file is as follow:

http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/cygdrive/e/Squid/etc/ssl/cert.pem capath=/cygdrive/e/Squid/etc/ssl cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=/cygdrive/e/Squid/etc/ssl/cert.pem options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
sslcrtd_program /cygdrive/e/Squid/lib/squid/ssl_crtd -s /cygdrive/e/Squid/var/cache/squid_ssldb -M 4MB -b 2048
always_direct allow all
ssl_bump allow all
#sslcrtd_children 10
sslcrtd_children 20 startup=10 idle=1
sslproxy_capath cygdrive/e/Squid/etc/ssl
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

I desperately need Squid. I own a cybercafe in a small town in Argentina. My Internet connection is pathetic: DL=1.58 Mbps, UL=0.48 Mbps to share among 12 PCs. Never used Linux, but tried to build Squid with MinGW (I was correcting the lines inside the .h files to end up the make, but the process was endless) after these, I tried Diladele. I tell you these just for you to know that if I have to make my .pem, .crt or CA files, I'll do it, I can or I will figure it out, is just that right now I'm completely blank.
Thanks in advance.

Answer 1 · 2017-03-29T14:06:32.000Z

Hey guys, is anybody there?
I know is a stupid question, but like I said, I'm completely blank. Please help me.
My Squid version is 3.5.24 and what I can't make it work is https.
Thanks.

Answer 2 · 2017-03-29T14:12:43.000Z

Hello Squidoman, we only build squid installer, we do not touch squid code. For all issues with squid configuration please contact squid mailing list.

Answer 3 · 2017-03-30T14:22:44.000Z

Thanks for responding ra-at-diladele-com (I assume you are Raphael). I'm sorry if I haven't been polite or clear. I've installed your software; I've been able to cache http; BUT when I try to cache https, it fails. I just need a guidance to that step, I'm not touching the code, I'm using your software.
I'll be glad if you show me how to set the https.
Thanks, and thanks for the free software, which is a treasure for people like me who don't understand Linux.

Answer 4 · 2017-04-03T20:21:50.000Z

Come on guys, I'm only asking for a step by step process for using the .pem files Diladele's give in its installation. Everyone runs it with no problem, tell me where is my error. Like I said, I need desperately Squid because of my Internet connection. I'm not intending to do any harm, stole passwords, sniff in anybody's account, just to give a better service in my small bussiness.
Thanks.

Answer 5 · 2017-04-03T21:38:42.000Z

HI squidoman,
Sorry, it is not that somebody tries to hide something from you, we simply do not use Windows build for https caching (as already been told we just build the installer).

Probably you do not initialize you pem files properly. We generated them using Cygwin, so if i were you I would try installing Cygwin and generating them in there, then replacing the ones given with installation and following this guide
http://wiki.squid-cache.org/Features/DynamicSslCert

Also all questions regarding squid can be posted to http://www.squid-cache.org/Support/mailing-lists.html , the community is very responsive there.
Sorry that could not help you further.

Another alternative would be to run squid in docker on Windows, this removes all Cygwin limitations (in particular helper's IO)

Answer 6 · 2017-04-03T22:16:57.000Z

Thanks ea-at-diladele-com (sorry if I've been rude),
The part of the initialization is a good starting point for me, like I said before I'm a completely newbie on this. I'll try my best now initializing the .pem files.
Thanks again for the free software man.

Answer 7 · 2019-02-07T15:31:20.000Z

https bumping working fine here!

Just gen a new cert.pem, using cygwin64:
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout cert.pem -out cert.pem