Squid with HTTPS in transparent mode not working



  • Hi All,

    I'm trying to configure Squid+SquidGuard for HTTP and HTTPS in transparent mode, but HTTPS doesn't work.
    I've tested with Splice All and Splice Whitelist as SSL/MITM Mode.

    I've this fatal error in the log:

    /pkg_edit.php: The command '/usr/local/sbin/squid -f /usr/local/etc/squid/squid.conf' returned exit code '1', the output was '2017/09/20 22:44:40| FATAL: tproxy/intercept on https_port requires ssl-bump which is missing. FATAL: Bungled /usr/local/etc/squid/squid.conf line 6: https_port 127.0.0.1:3129 intercept Squid Cache (Version 3.5.26): Terminated abnormally. CPU Usage: 0.005 seconds = 0.000 user + 0.005 sys Maximum Resident Size: 45888 KB Page faults with physical i/o: 0'

    Please help!
    Giacomo (Italy)


  • Banned

    Fix your CA setting.



  • Hi,

    what do you mean?
    I've set a CA.

    Thanks!


  • Banned

    You have set an unusable CA. This must be a local CA to which you either created directly on pfSense or which you have imported including the private key.



  • Hi,

    I've created a new certificate and I have now a different error:

    /pkg_edit.php: The command '/usr/local/sbin/squid -k reconfigure -f /usr/local/etc/squid/squid.conf' returned exit code '1', the output was 'FATAL: No valid signing SSL certificate configured for HTTP_port 192.168.0.100:3128 Squid Cache (Version 3.5.26): Terminated abnormally. CPU Usage: 0.014 seconds = 0.014 user + 0.000 sys Maximum Resident Size: 52672 KB Page faults with physical i/o: 0'

    What's wrong?

    Thanks!


  • Banned

    You need to create a Certification AUTHORITY, not a certificate. Then select that newly created CA in the GUI. Dunno, this takes like a minute. Sigh.

    Note: Create it on pfSense. Stop importing something god knows what from somewhere god knows where. You are importing unusable invalid stuff.



  • Hi,

    I've solved, creating a new "Internal" CA; now I've no errors in system log!
    But I'm not able to surf HTTPS since I've this error on my Firefox:

    An error occurred during a connection to www.google.it.
    SSL received a record that exceeded the maximum permissible length.
    Error code: SSL_ERROR_RX_RECORD_TOO_LONG

    Giacomo.



  • You have to import the CA into firefox manually. Its under options/advanced/certificates/view certificates/import.