[squid-users] Configuring the sslbump

sven falempin sven.falempin at gmail.com
Thu Dec 11 19:03:51 UTC 2014 

On Fri, Dec 5, 2014 at 5:19 PM, sven falempin <sven.falempin at gmail.com> wrote:
> Hello Squid,
>
> I am trying the sslBump and just following the doc, i tried to also some
> random tutorial on the web that mostly looks like copy pasta of the wiki.
> All i got is a FATAL. .. . .
>
> 2014/12/05 17:07:24.472| src/ssl/support.cc(1584)
> readSslX509CertificatesChain: Certificate is self-signed, will not
>  be chained
> 2014/12/05 17:07:24.500| src/ssl/support.cc(1446) contextMethod: Using
> SSLv2/SSLv3.
> 2014/12/05 17:07:24.500| src/ssl/support.cc(857) configureSslContext:
> Setting RSA key generation callback.
> 2014/12/05 17:07:24.500| src/ssl/support.cc(860) configureSslContext:
> Setting CA certificate locations.
> 2014/12/05 17:07:24.505| src/ssl/support.cc(903) configureSslContext: Not
> requiring any client certificates
> 2014/12/05 17:07:24.505| Initializing https_port 0.0.0.0:3129 SSL context
> 2014/12/05 17:07:24.505| src/tools.cc(564) leave_suid: leave_suid: PID 10872
> called
> 2014/12/05 17:07:24.505| src/tools.cc(586) leave_suid: leave_suid: PID 10872
> giving up root, becoming '_squid'
> FATAL: No valid signing SSL certificate configured for HTTPS_port
> 0.0.0.0:3129
> Squid Cache (Version 3.HEAD-20140626-r13480): Terminated abnormally.
>
> my certificates are all right
> 2014/12/05 17:07:24.505| Initializing https_port 0.0.0.0:3129 SSL context
> but sundenly they are i dont recheck or something ?
>
> the only non logged code i see is this one :
>
>     if (!pkey || !cert || !X509_check_private_key(cert.get(), pkey.get())) {
>         pkey.reset(NULL);
>         cert.reset(NULL);
>     }
>
> But i swear i follow the doc and create the certificate normally.
>
> Is there a particular CN to use ?
> Shall i emit a self signed root and then another certificate for the proxy
> ??? is this error not related at all ? with the certificate on the sslbump
> lines ?
>
> Conf:
> # Squid normally listens to port 3128
> http_port 3128
> https_port 3129 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=2MB  cert=/etc/squid/sq
> uid-proxy.crt  key=/etc/squid/squid-proxy.key
>
> # dont forget ssl_crtd -c -s /var/db/squid/ssl when setup
> always_direct allow all
> ssl_bump client-first  all
> sslproxy_cert_error allow all
> # Or may be deny all according to your company policy
> # sslproxy_cert_error deny all
> sslproxy_flags DONT_VERIFY_PEER
> sslcrtd_program /usr/local/bin/ssl_crtd -s /var/db/squid/ssl -M 2MB
> sslcrtd_children 5
>
>
> Info:
>  # ls /var/db/squid/ssl
> certs     index.txt size
>
>
> --
> ---------------------------------------------------------------------------------------------------------------------
> () ascii ribbon campaign - against html e-mail
> /\


So looks like the squid guys didnt clone the certificate entry in
their clone method ( you guys are sure you wanna stick to c++ ??)

And this test is done

    if (Ip::EnableIpv6&IPV6_SPECIAL_SPLITSTACK && s->s.isAnyAddr()) {
        // clone the port options from *s to *(s->next)
        s->next = cbdataReference(s->clone());
        s->next->s.setIPv4();

So with the right config the program failed.


Workaround , bind it to an ip.

Well done guys


-- 
---------------------------------------------------------------------------------------------------------------------
() ascii ribbon campaign - against html e-mail
/\

More information about the squid-users mailing list