[squid-users] ***SPAM*** Re: Random SSL bump DB corruption

Vdoctor vdoctor at neuf.fr
Thu Apr 9 13:09:40 UTC 2015


Yuri,

 

So what’s next ?

Do you mean we must “do-not-ssl-bump” wrong certificats ?

And if a certificate not yet identified is requested by an user it’ll crash the Squid ?

 

Any idea how to fix that issue ?

 

Thanks in advance.

Bye Fred

 

De : Yuri Voinov [mailto:yvoinov at gmail.com] 
Envoyé : jeudi 9 avril 2015 15:04
À : Vdoctor; squid-users at lists.squid-cache.org
Objet : Re: ***SPAM*** Re: [squid-users] Random SSL bump DB corruption

 


-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA256 
 
- From my experience, it may occur as a result of forming the fake certificate zero length (in the case of the SQUID can not complete its formation for any reason).

In turn, the formation of such a certificate occurs in particular due to any error in the code of the SQUID characteristics or if server certificate. In particular, one of these servers is iTunes.

09.04.15 19:00, Vdoctor пишет:
> Yury,



      >



      > I checked the source code (3.4/3.5) ssl_crtd, the default

      size is 2048.



      >     -b fs_block_size     File system block size in bytes.

      Need for processing



      >                          natural size of certificate on disk.

      Default value is



      >                          2048 bytes."



      >



      > /**



      >  \ingroup ssl_crtd



      >  * This is the external ssl_crtd process.



      >  */



      > int main(int argc, char *argv[])



      > {



      >     try {



      >         size_t max_db_size = 0;



      >         size_t fs_block_size = 2048;



      >



      >



      > But the crazy thing is the index.txt (last line) is wrong,

      not complete. It seems the tool writes/saves wrong data that's why

      it becomes corrupted and crash the Squid.



      >



      > We have tried with a single ssl_crtd in the squid.conf, then

      one per worker, the same corruption.



      >



      > Bye Fred



      >



      > -----Message d'origine-----



      > De : squid-users

      [mailto:squid-users-bounces at lists.squid-cache.org] De la part de

      Yuri Voinov



      > Envoyé : jeudi 9 avril 2015 14:52



      > À : squid-users at lists.squid-cache.org



      > Objet : ***SPAM*** Re: [squid-users] Random SSL bump DB

      corruption



      >



      >



      > Don't think this is critical. What is native fs block size?



      >



      > 09.04.15 13:29, Stakres пишет:



      > > Hi Yuri,



      >



      > > We have checked the sslproxy_capath, all certifs

      updated.



      > > OpenSSL is: OpenSSL 1.0.1e 11 Feb 2013 (Debian 7.8)



      >



      > > Additional point, the auto-signed certif is a 1024,

      could it be the



      > problem



      > > ?



      > > Maybe we need to use the ssl_crtd with the option "-b

      1024"



      > > what do you think ?



      >



      > > example of corrupted db:



      > > *V    250402155004Z       

      7307E4A4E7FC6483C2B1D533821A7D2356DF1B88   



      > unknown



      > >

      /CN=r2---sn-q4f7sn7z.googlevideo.com+Sign=signTrusted+SignHash=SHA256



      > > V    250402155004Z       

      2D1FC87E26AC4D8AB1E6F3B45E2C69EB36C7F8D3   



      > unknown



      > > /CN=seal.verisign.com+Sign=signTrusted+SignHash=SHA256



      > > 6



      > > *



      >



      > > the squid crash when the index.txt becomes wrong...

      weird...



      >



      > > Bye Fred



      >



      >



      >



      > > --



      > > View this message in context:



      >

http://squid-web-proxy-cache.1019090.n4.nabble.com/Random-SSL-bump-DB-corruption-tp4670289p4670656.html



      > > Sent from the Squid - Users mailing list archive at

      Nabble.com.



      > > _______________________________________________



      > > squid-users mailing list



      > > squid-users at lists.squid-cache.org



      > > http://lists.squid-cache.org/listinfo/squid-users



      >



      >



      > _______________________________________________



      > squid-users mailing list



      > squid-users at lists.squid-cache.org



      > http://lists.squid-cache.org/listinfo/squid-users

-----BEGIN PGP SIGNATURE----- 
Version: GnuPG v2 
 
iQEcBAEBCAAGBQJVJni5AAoJENNXIZxhPexGTAkIAIx0ar6l6z84snTTem8XXZtD 
oO/MnUvMb5FB+2IRp74dq7cO5KzlcZUeOvbbmsMsXR2CAraPqiLyTb3m3/eKqLS1 
QdDRZZIuvV2GKyNizEzwwCV1W7QRjApbELc36rZC8fXVv5WArisDg3kk/Ycu3OeF 
p0TBHhMNBvFKd+8Ve8xUqKQn3J6fYAYB8FHBzpssmfGaaGK7PeDmZ3LofeYHlqDP 
eY7WKCzBQ7wOkezWJopBqkZH72OorLYHxOSanrNlbZ+5n2iO5wbuocm03F/QMJBc 
uTN71irqNwHiqGd95ThQjSlhOXHvUSHEKssALUgmfHWEtIUy1PhLQvCksLm2510= 
=ai9y 
-----END PGP SIGNATURE----- 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150409/3b5cf0ca/attachment-0001.html>


More information about the squid-users mailing list