Re: [squid-users] Squid SSL transparent proxy - SSL_connect:error in SSLv2/v3 read server hello A from Bill Houle on 2013-10-17 (squid-users)

From: Bill Houle <bill.houle_at_gmail.com>
Date: Thu, 17 Oct 2013 20:52:56 -0700

Based on more general experience - sorry, no specific Squid expertise
to help - that line stood out to me. The cert entry should reference a
.cer/crt file (in PEM format). The use of a CSR is wrong.

--bill

> On Oct 17, 2013, at 9:25 AM, Larry Zhao <thehiddendepth_at_gmail.com> wrote:
>
> Hi, Bill Thanks a lot for helping.
>
> if what you mean is here: http_port 443 transparent
> cert=/home/larry/ssl/server.csr key=/home/larry/ssl/server.key
>
> Yes I am sure that's a csr file at that location.
> --
>
> Cheers ~
>
> Larry
>
>
>> On Fri, Oct 18, 2013 at 12:00 AM, Bill Houle <bill.houle_at_gmail.com> wrote:
>> Did you really point the Cert to the CSR (CertReq file), or is that a typo?
>>
>> --bill
>>
>>
>>
>>
>>> On Oct 17, 2013, at 8:45 AM, Larry Zhao <thehiddendepth_at_gmail.com> wrote:
>>>
>>> Hi, Guys,
>>>
>>>
>>> I am trying to setup a SSL proxy for one of my internal servers to
>>> visit `https://www.googleapis.com` using Squid, to make my Rails
>>> application on that server to reach `googleapis.com` via the proxy.
>>>
>>>
>>> I am new to this, so my approach is to setup a SSL transparent proxy
>>> with Squid. I build `Squid 3.3` on Ubuntu 12.04, generated a pair of
>>> ssl key and crt, and configure squid like this:
>>>
>>>
>>> http_port 443 transparent cert=/home/larry/ssl/server.csr
>>> key=/home/larry/ssl/server.key
>>>
>>>
>>> And leaves almost all other configurations default. The authorization
>>> of the dir that holds key/crt is `drwxrwxr-x 2 proxy proxy 4096
>>> Oct 17 15:45 ssl`
>>>
>>>
>>> Back on my dev laptop, I put `<proxy-server-ip> www.googleapis.com` in
>>> my `/etc/hosts` to make the call goes to my proxy server.
>>>
>>>
>>> But when I try it in my rails application, I got:
>>>
>>>
>>> SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A:
>>> unknown protocol
>>>
>>>
>>> And I also tried with openssl in cli:
>>>
>>>
>>> openssl s_client -state -nbio -connect www.googleapis.com:443 2>&1
>>> | grep "^SSL"
>>>
>>> SSL_connect:before/connect initialization
>>>
>>> SSL_connect:SSLv2/v3 write client hello A
>>>
>>> SSL_connect:error in SSLv2/v3 read server hello A
>>>
>>> SSL_connect:error in SSLv2/v3 read server hello A
>>>
>>>
>>>
>>> Where did I do wrong?
>>>
>>> --
>>>
>>> Cheers ~
>>>
>>> Larry
Received on Fri Oct 18 2013 - 03:53:11 MDT

This archive was generated by hypermail 2.2.0 : Fri Oct 18 2013 - 12:00:07 MDT