[squid-dev] squid-5.0.5-20210223-r4af19cc24 difference in behaviors between openbsd and linux

Robert Smith spamfree at wansecurity.com
Fri Oct 15 03:04:42 UTC 2021


I apologize for the ultra-long delay on this. I did just test this tonight and it worked properly under OpenBSD.

What would be the process for submitting a bug report?

-Robert


> On Mar 29, 2021, at 4:33 AM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> 
> On 29/03/21 6:16 am, Eliezer Croitoru wrote:
>> Hey Robert,
>> I am not sure I understood what is the meaning of the description:
>> openbsd: Requiring client certificates.
>> linux: Not requiring any client certificates
> 
> @Eliezer:
>  They are startup messages Squid prints in cache.log when a TLS server context is initialized.
> 
> 
> 
>> -----Original Message-----
>> From: Robert Smith
>> Sent: Sunday, March 28, 2021 7:27 PM
>> Dear Squid-Dev list:
>> I could use some help on this one:
>> I have a build environment that is identical on linux, openbsd, and macosx
>> In this scenario, I am developing under:
>> Ubuntu 18.04 - All patches and updates applied as of 3/24
>> OpenBSD 6.8 - All patches and updates applied as of 3/24
>> I will note that I am really only using the libc from each system whereas every other component dependencies (which are not many! Good job squid team!) are a part of my build system.
>> When building squid with the exact same tool chain and library stack, with the same configure options, I am seeing a difference in behavior on the two platforms:
>> The difference is that after parsing the configuration file, the two systems differ in whether or not they will require client certificates:
>> openbsd: Requiring client certificates.
>> linux: Not requiring any client certificates
>> 
> 
> What the message means depends on whether the http(s)_port, a cache_peer, or the outgoing https:// context is being initialized. Options that directive was supposed to be using (including the default security).
> 
> Looking at your logs I see:
> 
> 
> On OpenBSD Squid detects the presence of an IPv6 split-stack for networking. Which means Squid has to clone the internal representation of all your squid.conf *_port settings and setup separate contexts and state for IPv4 versions of them.
> There seems to be a bug in that cloning process which is turning on the TLS client certificates feature. Please report this to our bugzilla so it does not get forgotten until fixed.
> 
> 
> On Linux Squid is detecting IPv6 disabled in the kernel networking setup. So it is disabling its own IPv6 support. That said Linux has a hybrid-stack networking so the cloning would not happen anyway. If IPv6 were enabled here it would be somewhat more obvious that the IPv4 ports on OpenBSD are the odd ones.
> 
> 
> For a workaround you may be able to set sslflags=DELAYED_AUTH on the http*_port lines and leave your ACLs as they are without anything requiring a client certificate.
> 
> 
> 
>> # openbsd
>> root at openbsd:~# /root/squid.init conftest
> 
>> 2021/03/28 10:47:31| Processing: http_port 3128 ssl-bump cert=/opt/osec/etc/ssl_cert/squid-ca-cert+key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
>> 2021/03/28 10:47:31| Processing: https_port 3129 intercept ssl-bump cert=/opt/osec/etc/ssl_cert/squid-ca-cert+key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
> 
>> 2021/03/28 10:47:31| Processing: tls_outgoing_options cafile=/opt/osec/etc/pki/tls/certs/ca-bundle.crt
> 
> 
>> 2021/03/28 10:47:31| Initializing https:// proxy context
>> 2021/03/28 10:47:31| Requiring client certificates.
> 
> 
>> 2021/03/28 10:47:31| Initializing http_port [::]:3128 TLS contexts
>> 2021/03/28 10:47:31| Using certificate in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
>> 2021/03/28 10:47:31| Using certificate chain in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
>> 2021/03/28 10:47:31| Adding issuer CA: /C=US/ST=Kansas/L=Overland Park/O=Company, Inc./OU=Area 77/CN=local.corp.dom/emailAddress=ssladmin at Company.com
>> 2021/03/28 10:47:31| Using key in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
>> 2021/03/28 10:47:31| Not requiring any client certificates
> 
> 
>> 2021/03/28 10:47:31| Initializing http_port 0.0.0.0:3128 TLS contexts
>> 2021/03/28 10:47:31| Using certificate in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
>> 2021/03/28 10:47:31| Using certificate chain in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
>> 2021/03/28 10:47:31| Adding issuer CA: /C=US/ST=Kansas/L=Overland Park/O=Company, Inc./OU=Area 77/CN=local.corp.dom/emailAddress=ssladmin at Company.com
>> 2021/03/28 10:47:31| Using key in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
>> 2021/03/28 10:47:31| Requiring client certificates.
> 
> 
>> 2021/03/28 10:47:31| Initializing https_port [::]:3129 TLS contexts
>> 2021/03/28 10:47:31| Using certificate in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
>> 2021/03/28 10:47:31| Using certificate chain in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
>> 2021/03/28 10:47:31| Adding issuer CA: /C=US/ST=Kansas/L=Overland Park/O=Company, Inc./OU=Area 77/CN=local.corp.dom/emailAddress=ssladmin at Company.com
>> 2021/03/28 10:47:31| Using key in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
>> 2021/03/28 10:47:31| Not requiring any client certificates
> 
> 
>> 2021/03/28 10:47:31| Initializing https_port 0.0.0.0:3129 TLS contexts
>> 2021/03/28 10:47:31| Using certificate in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
>> 2021/03/28 10:47:31| Using certificate chain in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
>> 2021/03/28 10:47:31| Adding issuer CA: /C=US/ST=Kansas/L=Overland Park/O=Company, Inc./OU=Area 77/CN=local.corp.dom/emailAddress=ssladmin at Company.com
>> 2021/03/28 10:47:31| Using key in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
>> 2021/03/28 10:47:31| Requiring client certificates.
>> # linux
>> root at linux:~# /root/squid.init conftest
> 
>> 2021/03/28 10:48:21| WARNING: BCP 177 violation. Detected non-functional IPv6 loopback.
>> 2021/03/28 10:48:21| aclIpParseIpData: IPv6 has not been enabled.
>> 2021/03/28 10:48:21| aclIpParseIpData: IPv6 has not been enabled.
>> 2021/03/28 10:48:21| Initializing https:// proxy context
>> 2021/03/28 10:48:21| Requiring client certificates.
> 
>> 2021/03/28 10:48:21| Initializing http_port 0.0.0.0:3128 TLS contexts
>> 2021/03/28 10:48:21| Using certificate in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
>> 2021/03/28 10:48:21| Using certificate chain in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
>> 2021/03/28 10:48:21| Adding issuer CA: /C=US/ST=Kansas/L=Overland Park/O=Company, Inc./OU=Area 77/CN=local.corp.dom/emailAddress=ssladmin at Company.com
>> 2021/03/28 10:48:21| Using key in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
>> 2021/03/28 10:48:21| Not requiring any client certificates
> 
>> 2021/03/28 10:48:21| Initializing https_port 0.0.0.0:3129 TLS contexts
>> 2021/03/28 10:48:21| Using certificate in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
>> 2021/03/28 10:48:21| Using certificate chain in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
>> 2021/03/28 10:48:21| Adding issuer CA: /C=US/ST=Kansas/L=Overland Park/O=Company, Inc./OU=Area 77/CN=local.corp.dom/emailAddress=ssladmin at Company.com
>> 2021/03/28 10:48:21| Using key in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
>> 2021/03/28 10:48:21| Not requiring any client certificates
> 
> 
> 
> Amos
> 
> _______________________________________________
> squid-dev mailing list
> squid-dev at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-dev
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20211014/de037b04/attachment.htm>


More information about the squid-dev mailing list