On 2016-01-04, C.L. Martinez <[email protected]> wrote: > I have configured squid in an OpenBSD host acting as a transparent > proxy. Actually all works OK for all traffic except for SSL/TLS, ex: > port 443. > [..] > > In my squid.conf: > > # Squid normally listens to port 3128 > http_port 127.0.0.1:3128 > http_port 127.0.0.1:3129 intercept > http_port 127.0.0.1:3130 intercept ssl-bump > cert=/etc/squid/ssl_cert/uxdom.org.cert > key=/etc/squid/ssl_cert/uxdom.org.private \ > generate-host-certificates=on version=1 > options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
I've figured it out now. Change http_port to https_port for the SSL interception. You'll also want to generate DH parameters and specify them on the ssl-bump line. openssl dhparam 2048 -out /etc/ssl/dh2048.pem https_port 127.0.0.1:3130 intercept ssl-bump cert=[...] dhparams=/etc/ssl/dh2048.pem
