Re: [squid-users] Https_port with "official" certificate

On 26/08/2016 1:24 a.m., Samuraiii wrote: > On 25.8.2016 13:24, Diogenes Jesus wrote: >> Hi there. >> >> The config should work - I noticed only that you're using >> "--with-gnutls", but that shouldn't be an issue. Try it out and let us >> know how that worked for you. >> >> Dio >> >> Sent from

Re: [squid-users] Https_port with "official" certificate

On 25.8.2016 13:24, Diogenes Jesus wrote: > Hi there. > > The config should work - I noticed only that you're using > "--with-gnutls", but that shouldn't be an issue. Try it out and let us > know how that worked for you. > > Dio > > Sent from my iPhone > Hello again, still same error... Comlete

Re: [squid-users] Https_port with "official" certificate

Hi there. The config should work - I noticed only that you're using "--with-gnutls", but that shouldn't be an issue. Try it out and let us know how that worked for you. Dio Sent from my iPhone > On Aug 25, 2016, at 11:17 AM, Samuraiii wrote: > >> On 24.8.2016

Re: [squid-users] Https_port with "official" certificate

On 24.8.2016 16:39, Diogenes S. Jesus wrote: > Oh, an a tiny little detail :) > > # squid -v > > Squid Cache: Version 4.0.13 > > Service Name: squid > > configure options: '--with-openssl' '--prefix=/usr' > '--localstatedir=/var' '--libexecdir=/lib/squid' > '--datadir=/share/squid'

Re: [squid-users] Https_port with "official" certificate

On 08/24/2016 06:36 AM, Yuri Voinov wrote: > 24.08.2016 18:32, Antony Stone пишет: >> He wants to configure his browser to connect to the proxy over an SSL >> connection, and then inside this secure connection send standard HTTP and >> HTTPS requests > Yeah, I get it. It seems to me, is

Re: [squid-users] Https_port with "official" certificate

Oh, an a tiny little detail :) # squid -v Squid Cache: Version 4.0.13 Service Name: squid configure options: '--with-openssl' '--prefix=/usr' '--localstatedir=/var' '--libexecdir=/lib/squid' '--datadir=/share/squid' '--sysconfdir=/etc/squid' '--with-default-user=proxy'

Re: [squid-users] Https_port with "official" certificate

This configuration here covers the use case described by the OP: https://gist.githubusercontent.com/splashx/758ff0c59ea291f32edafc516fdaad73/raw/8050fa054821657812961050332b38a56e7e3e68/ If everything works well, you'll notice you won't support HTTP proxy at all, but users can reach both HTTP

Re: [squid-users] Https_port with "official" certificate

Just to rewind this conversation to the actual problem ... On 24/08/2016 11:42 p.m., Samuraiii wrote: > On 24.8.2016 13:18, Antony Stone wrote: >> Unfortunately it's not Squid that's the challenge - it's the browser. >> >> If you're using Firefox and/or Chrome, you should be okay. >> >> See

Re: [squid-users] Https_port with "official" certificate

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 24.08.2016 19:24, Antony Stone пишет: > On Wednesday 24 August 2016 at 14:35:03, Yuri Voinov wrote: > Then I do not understand what he wants op. >> >> http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connecti >> on >> >>>

Re: [squid-users] Https_port with "official" certificate

On Wednesday 24 August 2016 at 14:35:03, Yuri Voinov wrote: > >> Then I do not understand what he wants op. > > http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connecti > on > > > Secure connection to squid proxy without need for anything else (on > > client side) than

Re: [squid-users] Https_port with "official" certificate

Ok This is answer (not) I was looking for. Thank you S On 24 August 2016 14:48:40 CEST, Yuri Voinov wrote: > >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA256 > > > >24.08.2016 18:44, Samuraiii пишет: >> >>> >>> > No SSL-bumping or whatever just forwarding. >>>

Re: [squid-users] Https_port with "official" certificate

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 24.08.2016 18:44, Samuraiii пишет: > >> >> > No SSL-bumping or whatever just forwarding. >> Firstly, the concept is not safe. Users will have a secure connection to the proxy - as well as the next? HTTP? User misled green padlock, believes

Re: [squid-users] Https_port with "official" certificate

> > > No SSL-bumping or whatever just forwarding. > Firstly, the concept is not safe. Users will have a secure connection > to the proxy - as well as the next? HTTP? User misled green padlock, > believes all secure connection - as external traffic is not encrypted > after the fact. Second.

Re: [squid-users] Https_port with "official" certificate

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Against this backdrop, even a bump SSL security seems a masterpiece. 24.08.2016 18:32, Antony Stone пишет: > On Wednesday 24 August 2016 at 14:26:48, Yuri Voinov wrote: > >> 24.08.2016 18:23, Antony Stone пишет: >>> On Wednesday 24 August 2016

Re: [squid-users] Https_port with "official" certificate

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 24.08.2016 18:31, Samuraiii пишет: > >> look to the browser >> >> > like HTTPS ones. >> Then I do not understand what he wants op. >> >> >> > > http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection > > Secure

Re: [squid-users] Https_port with "official" certificate

On Wednesday 24 August 2016 at 14:26:48, Yuri Voinov wrote: > 24.08.2016 18:23, Antony Stone пишет: > > On Wednesday 24 August 2016 at 14:18:46, Yuri Voinov wrote: > >> No one CA do not issue signing CA for subject, which is not CA itself. > >> > >> So, op wants impossible thing. > > > > Why

Re: [squid-users] Https_port with "official" certificate

> look to the browser > > > like HTTPS ones. > Then I do not understand what he wants op. > > > http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection Secure connection to squid proxy without need for anything else (on client side) than configuring proxy in

Re: [squid-users] Https_port with "official" certificate

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 24.08.2016 18:23, Antony Stone пишет: > On Wednesday 24 August 2016 at 14:18:46, Yuri Voinov wrote: > >> No one CA do not issue signing CA for subject, which is not CA itself. >> >> So, op wants impossible thing. > > Why would one need a signING

Re: [squid-users] Https_port with "official" certificate

On 24.8.2016 14:24, Antony Stone wrote: > On Wednesday 24 August 2016 at 14:22:18, Samuraiii wrote: > >> On 24.8.2016 14:18, Yuri Voinov wrote: >>> No one CA do not issue signing CA for subject, which is not CA itself. >>> >>> So, op wants impossible thing. >> I have tried to drop clientca option,

Re: [squid-users] Https_port with "official" certificate

On Wednesday 24 August 2016 at 14:22:18, Samuraiii wrote: > On 24.8.2016 14:18, Yuri Voinov wrote: > > No one CA do not issue signing CA for subject, which is not CA itself. > > > > So, op wants impossible thing. > > I have tried to drop clientca option, to add generate-host-certificates=off >

Re: [squid-users] Https_port with "official" certificate

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Predictable. 24.08.2016 18:22, Samuraiii пишет: > On 24.8.2016 14:18, Yuri Voinov wrote: > > >> No one CA do not issue signing CA for subject, which is not CA itself. >> >> So, op wants impossible thing. >> > I have tried to drop clientca

Re: [squid-users] Https_port with "official" certificate

On Wednesday 24 August 2016 at 14:18:46, Yuri Voinov wrote: > No one CA do not issue signing CA for subject, which is not CA itself. > > So, op wants impossible thing. Why would one need a signING certificate just to create an SSL connection between the browser and Squid? Surely one merely

Re: [squid-users] Https_port with "official" certificate

On 24.8.2016 14:18, Yuri Voinov wrote: > > No one CA do not issue signing CA for subject, which is not CA itself. > > So, op wants impossible thing. > I have tried to drop clientca option, to add generate-host-certificates=off but outcome is still same error... even with just this as config:

Re: [squid-users] Https_port with "official" certificate

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 No one CA do not issue signing CA for subject, which is not CA itself. So, op wants impossible thing. 24.08.2016 18:15, Antony Stone пишет: > On Wednesday 24 August 2016 at 14:02:43, Samuraiii wrote: > >> Squid fails to start for me with: >>

Re: [squid-users] Https_port with "official" certificate

Just one thing I noticed: "clientca" is not the CA which issued your "cert" (sklad.duckdns.org) - it's the CA to be used when doing client-side authentication, which I'm not sure if you're doing. Dio On Wed, Aug 24, 2016 at 2:02 PM, Samuraiii wrote: > > > Please

Re: [squid-users] Https_port with "official" certificate

On Wednesday 24 August 2016 at 14:02:43, Samuraiii wrote: > Squid fails to start for me with: > FATAL: No valid signing SSL certificate configured for HTTPS_port [::]:8443 > > I have found that this is related to missing self signed certificate, > and since I do not want to use self signed

Re: [squid-users] Https_port with "official" certificate

> Please give more details for "fails". > > Is the following your entire squid.conf (except for comments)? > > Have you tried getting SSL access to Squid working before introducing > authentication? > > What are you trying, to test this, and what are the results? > > > Regards, > > > Antony.

Re: [squid-users] Https_port with "official" certificate

On Wednesday 24 August 2016 at 13:42:16, Samuraiii wrote: > On 24.8.2016 13:18, Antony Stone wrote: > > > > See "Encrypted browser-Squid connection" at the bottom of > > http://wiki.squid-cache.org/Features/HTTPS > > I have seen that, it is the cause of my subscription to this list. > I haven't

Re: [squid-users] Https_port with "official" certificate

On 24.8.2016 13:18, Antony Stone wrote: > Unfortunately it's not Squid that's the challenge - it's the browser. > > If you're using Firefox and/or Chrome, you should be okay. > > See "Encrypted browser-Squid connection" at the bottom of > http://wiki.squid-cache.org/Features/HTTPS > > > Antony. >

Re: [squid-users] Https_port with "official" certificate

On Wednesday 24 August 2016 at 13:09:52, Samuraiii wrote: > Hello, > I am trying to setup squid as SSL protected proxy for few users without > any intention to use ssl-bumping or any other MITM technique. > I just want to have SSL secured connection between browser and proxy. > Proxy will not be