[squid-users] Ssl-Bump and revoked server certificates
Walter.H at mathemainzel.info
Wed Oct 7 15:32:51 UTC 2015
On 07.10.2015 16:48, Amos Jeffries wrote:
>> sslcrtvalidator_program cache=8192 ttl=240 /usr/lib64/squid/cert_valid.pl
>> sslcrtvalidator_children 12 startup=5 idle=1 concurrency=1
>> can I have a working sample of valid_cert.pl that results
>> in an "access denied" or any other error page of squid?
> An ERR result from the helper should result in the invalid certificate
> handling happening in Squid. Whether that results in a particular error
> page (or not) depends on several things I'm not completely certain about.
Not really, there happens nothing different;
>> (it may bring this on any page that is ssl_bumped,
>> so I know the interface, because this here:
>> is wrong;
> Ah. I see the concurrency channel is not documented, but is being sent.
> What Squid version are you using?
I'm using squid 3.4.10, the build from Eliezer
>> instead of
>> I used a bash-script with this content
>> myprog 2>>/tmp/pre.log |/usr/lib64/squid/cert_valid.pl
>> and the C source of myprog:
>> int main( int argc, char* argv[ ] )
>> static char szBuf[ 260 ];
>> int nLen;
>> while( ( nLen = read( 0, (void*) szBuf, 256 ) )> 0 )
>> write( 1, (void*) szBuf, nLen );
>> write( 2, (void*) szBuf, nLen );
>> return 0;
> This helper is broken. The protocol here or even other helpers, has
> never been to dump the input back to Squid.
be careful, this is part of the helper script above, to catch the
content, whats sent to the helper ...
> Input and output "lines" have different syntax and contents.
of course ...
>> so I got the ident content as stdout and stderr and there I catched e.g.
>> <CATCH CONTENT>
>> 0 cert_validate 3373 host=revoked.grc.com
>> cert_0=-----BEGIN CERTIFICATE-----
>> -----END CERTIFICATE-----
>> </CATCH CONTENT>
>> with this I could programme a correct certificate validator using OpenSSL,
>> but I MUST have a little bit more precise knowledge about the correct
>> can someone please explain how the 3373 of the CATCH CONTENT above is
> Documented in the wiki:
> "Total size of the following request bytes taken by the key=pair
> That is the byte size of the "host=...END CERTIFICATE-----" key-pair
> part of the message.
Ok, I'll try if something was kicked away ...
>> returns always "0 OK 0 \1"
>> what does \1 mean here?
> \1 is the binary code (0x01) for end of line/message this helper
> requires. We cannot use \n like other helpers since several \n are part
> of the cert PEM format.
is this also true for requests this helper receives?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4312 bytes
Desc: S/MIME Cryptographic Signature
More information about the squid-users