[squid-users] Squid 3.4.10 and sslcrtd

Veiko Kukk vkukk at xvidservices.com
Mon May 18 11:23:16 UTC 2015 

Hi

I'd like to know if I understand Squid documentation properly.
I have following http_port and sslbump configuration:

http_port 127.0.0.1:3128 ssl-bump generate-host-certificates=off 
cert=/var/spool/squid/ssl_cert/squid_ca.pem
ssl_bump server-first all

 From documentation:
generate-host-certificates[=<on|off>]
Dynamically create SSL server certificates for the destination hosts of 
bumped CONNECT requests. When enabled, the cert and key options are used 
to sign generated certificates. Otherwise generated certificate will be 
selfsigned.

I guess, that means, if generate-host-certificates=off, there is no need 
for sslcrtd_program. Do I understand this correctly?

Unfortunately, Squid exits with fatal error when trying to start without 
sslcrtd_program configuration option.

2015/05/18 11:10:40 kid1| Accepting SSL bumped HTTP Socket connections 
at local=127.0.0.1:3128 remote=[::] FD 27 flags=9
2015/05/18 11:10:40 kid1| Done reading /var/spool/squid swaplog (0 entries)
2015/05/18 11:10:40 kid1| Store rebuilding is 0.00% complete
2015/05/18 11:10:40 kid1| Finished rebuilding storage from disk.
2015/05/18 11:10:40 kid1|         0 Entries scanned
2015/05/18 11:10:40 kid1|         0 Invalid entries.
2015/05/18 11:10:40 kid1|         0 With invalid flags.
2015/05/18 11:10:40 kid1|         0 Objects loaded.
2015/05/18 11:10:40 kid1|         0 Objects expired.
2015/05/18 11:10:40 kid1|         0 Objects cancelled.
2015/05/18 11:10:40 kid1|         0 Duplicate URLs purged.
2015/05/18 11:10:40 kid1|         0 Swapfile clashes avoided.
2015/05/18 11:10:40 kid1|   Took 0.01 seconds (  0.00 objects/sec).
2015/05/18 11:10:40 kid1| Beginning Validation Procedure
2015/05/18 11:10:40 kid1|   Completed Validation Procedure
2015/05/18 11:10:40 kid1|   Validated 0 Entries
2015/05/18 11:10:40 kid1|   store_swap_size = 0.00 KB
2015/05/18 11:10:40 kid1| WARNING: ssl_crtd #Hlpr0 exited
2015/05/18 11:10:40 kid1| Too few ssl_crtd processes are running (need 1/32)
2015/05/18 11:10:40 kid1| Closing HTTP port 127.0.0.1:3128
2015/05/18 11:10:40 kid1| storeDirWriteCleanLogs: Starting...
2015/05/18 11:10:40 kid1|   Finished.  Wrote 0 entries.
2015/05/18 11:10:40 kid1|   Took 0.00 seconds (  0.00 entries/sec).
FATAL: The ssl_crtd helpers are crashing too rapidly, need help!

Why does it still need sslcrtd_program? Note that error message WARNING: 
ssl_crtd #Hlpr0 exited is misleading, because currently, all sslcrtd 
related configuration options are commented out and none of the ssl_crtd 
processes are started.

Best regards,
Veiko

More information about the squid-users mailing list