Squid with HTTPS in transparent mode not working
I'm trying to configure Squid+SquidGuard for HTTP and HTTPS in transparent mode, but HTTPS doesn't work.
I've tested with Splice All and Splice Whitelist as SSL/MITM Mode.
I've this fatal error in the log:
/pkg_edit.php: The command '/usr/local/sbin/squid -f /usr/local/etc/squid/squid.conf' returned exit code '1', the output was '2017/09/20 22:44:40| FATAL: tproxy/intercept on https_port requires ssl-bump which is missing. FATAL: Bungled /usr/local/etc/squid/squid.conf line 6: https_port 127.0.0.1:3129 intercept Squid Cache (Version 3.5.26): Terminated abnormally. CPU Usage: 0.005 seconds = 0.000 user + 0.005 sys Maximum Resident Size: 45888 KB Page faults with physical i/o: 0'
Fix your CA setting.
what do you mean?
I've set a CA.
You have set an unusable CA. This must be a local CA to which you either created directly on pfSense or which you have imported including the private key.
I've created a new certificate and I have now a different error:
/pkg_edit.php: The command '/usr/local/sbin/squid -k reconfigure -f /usr/local/etc/squid/squid.conf' returned exit code '1', the output was 'FATAL: No valid signing SSL certificate configured for HTTP_port 192.168.0.100:3128 Squid Cache (Version 3.5.26): Terminated abnormally. CPU Usage: 0.014 seconds = 0.014 user + 0.000 sys Maximum Resident Size: 52672 KB Page faults with physical i/o: 0'
You need to create a Certification AUTHORITY, not a certificate. Then select that newly created CA in the GUI. Dunno, this takes like a minute. Sigh.
Note: Create it on pfSense. Stop importing something god knows what from somewhere god knows where. You are importing unusable invalid stuff.
I've solved, creating a new "Internal" CA; now I've no errors in system log!
But I'm not able to surf HTTPS since I've this error on my Firefox:
An error occurred during a connection to www.google.it.
SSL received a record that exceeded the maximum permissible length.
Error code: SSL_ERROR_RX_RECORD_TOO_LONG
J_Unit last edited by
You have to import the CA into firefox manually. Its under options/advanced/certificates/view certificates/import.