Problems with Squid Proxy SSLi after reinstall - config from backup

[hv-tech]

Hi Forum,

So I recently had to rebuild my Opnsense box, and redeployed the backed up config. Everything is find except the Squid proxy.. So proxy works unless I use SSLi. I did everything that anyone might think of, reinstall squid packages (from the GUI) redeploy the SSL Cert for SSLi, tried a different interface. Nothing works, anyone have any ideas?


Posted are the 'cache logs'.
2023-03-07T10:52:11       squid   kid1| ERROR: failure while accepting a TLS connection on conn163 local=172.16.10.1:3128 remote=172.16.10.6:1180 FD 17 flags=1: 0x81cd39680*1   
2023-03-07T10:52:11       squid   kid1| ERROR: failure while accepting a TLS connection on conn162 local=172.16.10.1:3128 remote=172.16.10.6:1179 FD 13 flags=1: 0x81cd39680*1   
2023-03-07T10:52:10       squid   kid1| ERROR: failure while accepting a TLS connection on conn156 local=172.16.10.1:3128 remote=172.16.10.6:1178 FD 13 flags=1: 0x81cd39680*1   
2023-03-07T10:52:10       squid   kid1| ERROR: failure while accepting a TLS connection on conn150 local=172.16.10.1:3128 remote=172.16.10.6:1177 FD 13 flags=1: 0x81cd39680*1   
2023-03-07T10:52:10       squid   kid1| ERROR: failure while accepting a TLS connection on conn144 local=172.16.10.1:3128 remote=172.16.10.6:1176 FD 13 flags=1: 0x81cd39680*1   
2023-03-07T10:52:09       squid   kid1| ERROR: failure while accepting a TLS connection on conn138 local=172.16.10.1:3128 remote=172.16.10.6:1175 FD 13 flags=1: 0x81cd39680*1   
2023-03-07T10:52:08       squid   kid1| ERROR: failure while accepting a TLS connection on conn132 local=172.16.10.1:3128 remote=172.16.10.6:1174 FD 13 flags=1: 0x81cd39680*1   
2023-03-07T10:52:08       squid   kid1| ERROR: failure while accepting a TLS connection on conn126 local=172.16.10.1:3128 remote=172.16.10.6:1173 FD 17 flags=1: 0x81cd39680*1   
2023-03-07T10:52:08       squid   kid1| ERROR: failure while accepting a TLS connection on conn79 local=172.16.10.1:3128 remote=172.16.10.6:1164 FD 19 flags=1: 0x81cd39680*1   
2023-03-07T10:52:08       squid   kid1| ERROR: failure while accepting a TLS connection on conn120 local=172.16.10.1:3128 remote=172.16.10.6:1172 FD 13 flags=1: 0x81cd39680*1   
            listening port: 172.16.10.1:3128   
2023-03-07T10:52:08       squid   kid1| ERROR: failure while accepting a TLS connection on conn90 local=172.16.10.1:3128 remote=172.16.10.6:1171 FD 36 flags=1: 0x81cd3a940*1   
2023-03-07T10:52:08       squid   kid1| ERROR: failure while accepting a TLS connection on conn81 local=172.16.10.1:3128 remote=172.16.10.6:1166 FD 22 flags=1: 0x81cd3a940*1   
2023-03-07T10:52:08       squid   kid1| ERROR: failure while accepting a TLS connection on conn78 local=172.16.10.1:3128 remote=172.16.10.6:1163 FD 17 flags=1: 0x81cd3a940*1   
2023-03-07T10:52:08       squid   kid1| ERROR: failure while accepting a TLS connection on conn75 local=172.16.10.1:3128 remote=172.16.10.6:1160 FD 13 flags=1: 0x81cd3a4c0*1

[Fright]

Hi
3128 for tls? shouldn't it be 3129?

[hv-tech]

Your right it is, but it doesn't seem to want to hit that port.

[hv-tech]

Screenshot attached:

[Fright]

since it's lan address in error message (not loopback) I would say that the issue is in the clients proxy settings

[hv-tech]

I have another machine that I can test with, I'll give it a try.

[hv-tech]

Same problem on a different PC. Nothing has been changed on the end points. Just the reinstall of Opnsense.

[Fright]

so is it proxy set on clients or it worked in transparent mode?
How are the proxy settings set on the client?

[hv-tech]

Simple Windows manual proxy configuration.

[Fright]

аh, sorry, haven't looked under the squid hood for a long time. the message format may have been changed on squid 5.* migration..
try to make sure the client trusts the root certificate used by squid (helped on test vm)

[hv-tech]

Okay silly me, I reapplied the cert to the trust area and it works now. Must have added the wrong cert originally. Thanks for the help Fright, another head helped for this.

[Fright]

glad it works, thanks for the feedback! )