So I was able to make this work: 1) scp Root Cert to pfsense (I sent it to /opt/ca.pem)
2) Edit squid.inc file, and add -ZZ option to the command (note: option requires version 3) The -ZZ option specifies to use startTLS
File: /usr/local/pkg/squid.inc (search file for appropriate line) From -> <pre><code> $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -v {$settings['ldap_ver sion']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattrib ute']} -P {$settings['auth_server']}$port\n"; </pre></code> To -> <pre><code> $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -ZZ -v {$settings['ldap_ver sion']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattrib ute']} -P {$settings['auth_server']}$port\n"; </pre></code>
3) Edit squid.conf with same option: File: /usr/pbi/squid-amd64/local/etc/squid/squid.conf (search file for appropriate line) From -> <pre><code> auth_param basic program /usr/pbi/squid-amd64/local/libexec/squid/basic_ldap_auth -v 3 -b ou=People,dc=example,dc=com -D cn=nssproxy,ou=Serv ices,dc=example,dc=com -w passHere -f "(&(objectClass=person)(uid=%s))" -u uid -P ldap.example.com:389 </pre></code> To -> <pre><code> auth_param basic program /usr/pbi/squid-amd64/local/libexec/squid/basic_ldap_auth -ZZ -v 3 -b ou=People,dc=example,dc=com -D cn=nssproxy,ou=Serv ices,dc=example,dc=com -w passHere -f "(&(objectClass=person)(uid=%s))" -u uid -P ldap.example.com:389 </pre></code>
TLS_CACERT /opt/ca.pem TLS_REQCERT allow </pre></code>
With all this being said - my concern is that these changes will be overwritten at some point due to an update, reboot, restart, ect. What is the preferred method for adding changes/options that are not directly supported via the GUI?
If all possible I would prefer to do this via the GUI (still hoping I missed the option) - I would like to stay away from hacks/customizations as much as possible.