[squid-users] Existing root certificate not working with SSL Bump (squid 3.3.10)

HaxNobody nobody at hushmail.com
Wed Dec 10 21:23:46 UTC 2014 

squid -v:

Squid Cache: Version 3.3.10
configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
'--libexecdir=${prefix}/lib/bloxx-squid3' '--srcdir=.'
'--disable-maintainer-mode' '--disable-dependency-tracking'
'--disable-silent-rules' '--datadir=/usr/share/squid3'
'--sysconfdir=/etc/squid3' '--mandir=/usr/share/man'
'--with-cppunit-basedir=/usr' '--with-logdir=/var/log/squid3'
'--with-swapdir=/var/spool/squid3' '--with-pidfile=/var/run/squid3.pid'
'--enable-dependency-tracking' '--enable-wccp' '--enable-wccp2'
'--disable-icmp' '--disable-htcp' '--disable-ident-lookups' '--disable-poll'
'--enable-ssl' '--enable-epoll' '--enable-delay-pools'
'--enable-default-languages=English' '--enable-err-languages=English'
'--enable-storeio=diskd,ufs,aufs' '--enable-async-io' '--enable-auth'
'--enable-basic-auth-helpers=LDAP,NCSA'
'--enable-digest-auth-helpers=password' '--enable-icap-client'
'--enable-underscores' '--with-maxfd=65536' '--with-default-user=proxy'
'--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2
-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -g
-O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security
-Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions
-Wl,-z,relro' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2
-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -g
-O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security
-Werror=format-security -Wall'

apparmor_status:

apparmor module is loaded.
7 profiles are loaded.
7 profiles are in enforce mode.
   /sbin/dhclient
   /usr/bin/freshclam
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/clamd
   /usr/sbin/ntpd
   /usr/sbin/tcpdump
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode.
   /usr/bin/freshclam (1206)
   /usr/sbin/ntpd (1942)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

ip addr:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP qlen 1000
    link/ether 00:15:5d:28:60:31 brd ff:ff:ff:ff:ff:ff
    inet 192.168.137.138/24 brd 192.168.137.255 scope global eth0
3: gre0: <NOARP> mtu 1476 qdisc noop state DOWN
    link/gre 0.0.0.0 brd 0.0.0.0

Unfortunately, these CA certificates aren't ones that I have created, and I
don't know what OpenSSL config flags might have been used to create them. We
have had them in use with other proxy software without getting any errors or
browser warnings once the root is installed. It's only with this server that
we get errors and warnings, even with the same cert installed in the
browser/on the machine.

I don't really want to share any other specific info (certs, IP addresses)
publicly, but let me know if you need them for testing and I will email them
to you.



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Existing-root-certificate-not-working-with-SSL-Bump-squid-3-3-10-tp4668515p4668670.html
Sent from the Squid - Users mailing list archive at Nabble.com.

More information about the squid-users mailing list