[squid-users] HTTPS woes
Yuri Voinov
yvoinov at gmail.com
Tue Apr 18 14:59:28 UTC 2017
I have automated cron job to refresh Mozilla CA's bundle by monthly basis.
Intermediate CA's, however, requires non-scheduled maintenance. I've
maintain it by demand.
18.04.2017 20:17, Olly Lennox пишет:
> Thanks Yuri! The Mozilla Bundle has worked!! Most of the major sites
> seem to be working which is all we need. How often do these
> certificates refresh? Would they need updating every month or so?
>
> oliver at lennox-it.uk
> lennox-it.uk <http://lennox-it.uk/>
> tel: 07900 648 252
>
>
> ------------------------------------------------------------------------
> *From:* Yuri Voinov <yvoinov at gmail.com>
> *To:* Olly Lennox <oliver at lennox-it.uk>;
> "squid-users at lists.squid-cache.org" <squid-users at lists.squid-cache.org>
> *Sent:* Tuesday, 18 April 2017, 14:43
> *Subject:* Re: [squid-users] HTTPS woes
>
> You talked about two different things.
> 1. root CA usually built-in in clients. For standalone use, root CA
> (from Mozilla) usually distributes with openssl distributions. If you
> need (or your openssl distribution does not contains root CAs), you
> can find separately distributed Mozilla CA's by short googling:
> https://www.google.com/search?q=Mozilla+CA+bundle
> 2. Intermediate CA's is subordinate for roots CA. It does not exists
> by gouverned repository (because of supporting it is work, manual work
> and should be do by somebody), moreover, it spreaded across CA
> authorities. There is no automated tool to support this
> _intermediate_list. The problem also: intermediate CA's usuallu has
> much short validity period instead of roots, and should supports all
> time at time.
> Finally - it you want to use Squid with SSL Bump, you should
> understand PKI infrastructure and yes - you should support root CA &
> intermediate CAs on proxy by yourself all time. There is no free or
> payment basis service which is do it for you.
>
> 18.04.2017 19:35, Olly Lennox пишет:
>> So anyone who wants to use Squid over HTTPS in the way has to build
>> this repository themselves by manually downloading all the CA bundles?
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>> *From:* Yuri <yvoinov at gmail.com> <mailto:yvoinov at gmail.com>
>> *To:* Olly Lennox <oliver at lennox-it.uk> <mailto:oliver at lennox-it.uk>;
>> "squid-users at lists.squid-cache.org"
>> <mailto:squid-users at lists.squid-cache.org>
>> <squid-users at lists.squid-cache.org>
>> <mailto:squid-users at lists.squid-cache.org>
>> *Sent:* Tuesday, 18 April 2017, 14:03
>> *Subject:* Re: [squid-users] HTTPS woes
>>
>>
>>
>> 18.04.2017 18:56, Olly Lennox пишет:
>>> I'm using
>>>
>>> sslproxy_foreign_intermediate_certs
>>>
>>> Is this the same thing?
>> No. You firstly required CA roots available for squid. CA roots and
>> intermediate is the different things.
>>>
>>> Also is there anywhere to get a bundle of all the major CA
>>> intermdiate certs or do you have to download them all manually?
>> No. You should build it by yourself.
>>
>>>
>>> Cheers,
>>>
>>> oliver at lennox-it.uk <mailto:oliver at lennox-it.uk>
>>> lennox-it.uk <http://lennox-it.uk/>
>>> tel: 07900 648 252
>>>
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Yuri <yvoinov at gmail.com> <mailto:yvoinov at gmail.com>
>>> *To:* squid-users at lists.squid-cache.org
>>> <mailto:squid-users at lists.squid-cache.org>
>>> *Sent:* Tuesday, 18 April 2017, 13:51
>>> *Subject:* Re: [squid-users] HTTPS woes
>>>
>>> Try to specify roots CA bundle/dir explicity by specifying one of this
>>> params:
>>>
>>>
>>> # TAG: sslproxy_cafile
>>> # file containing CA certificates to use when verifying server
>>> # certificates while proxying https:// URLs
>>> #Default:
>>> # none
>>>
>>> # TAG: sslproxy_capath
>>> # directory containing CA certificates to use when verifying
>>> # server certificates while proxying https:// URLs
>>> #Default:
>>> # none
>>>
>>>
>>>
>>> 18.04.2017 18:46, Olly Lennox пишет:
>>> > Hi All,
>>> >
>>> > Still having problems here. This is my https config now:
>>> >
>>> >
>>> > ---------------------------------https_port 3129 intercept
>>> ssl-bump generate-host-certificates=on
>>> dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squid.crt
>>> key=/etc/squid3/ssl_cert/squid.key options=NO_SSLv3
>>> dhparams=/etc/squid3/ssl_cert/dhparam.pem
>>> >
>>> > acl step1 at_step SslBump1
>>> > ssl_bump peek step1
>>> > ssl_bump bump all
>>> > sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
>>> > sslproxy_cipher
>>> EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>>> >
>>> > sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
>>> > sslcrtd_children 8 startup=1 idle=1
>>> >
>>> > ---------------------------------
>>> >
>>> >
>>> > I'm running version 3.5.23 with openssl 1.0. I've had to disable
>>> libecap because I couldn't build 3.5 with ecap enabled. I'm getting
>>> the following error when trying to connect with SSL:
>>> >
>>> > ---------------------------------
>>> >
>>> > The following error was encountered while trying to retrieve the
>>> URL: https://www.google.co.uk/*
>>> >
>>> > Failed to establish a secure connection to 216.58.198.67
>>> >
>>> > The system returned:
>>> >
>>> > (71) Protocol error (TLS code:
>>> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>>> > SSL Certficate error: certificate issuer (CA) not known:
>>> /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
>>> >
>>> > This proxy and the remote host failed to negotiate a mutually
>>> acceptable security settings for handling your request. It is
>>> possible that the remote host does not support secure connections,
>>> or the proxy is not satisfied with the host security credentials.
>>> >
>>> > Your cache administrator is webmaster.
>>> >
>>> > Generated Tue, 18 Apr 2017 12:23:40 GMT by raspberrypi (squid/3.5.23)
>>> > ---------------------------------
>>> >
>>> > The CA is always listed as not known not matter what site I try I
>>> always get this error.
>>> >
>>> > Any ideas?
>>> >
>>> > Thanks,
>>> >
>>> > Olly
>>> >
>>> > ________________________________
>>> > From: Olly Lennox <oliver at lennox-it.uk <mailto:oliver at lennox-it.uk>>
>>> > To: Amos Jeffries <squid3 at treenet.co.nz
>>> <mailto:squid3 at treenet.co.nz>>; "squid-users at lists.squid-cache.org
>>> <mailto:squid-users at lists.squid-cache.org>"
>>> <squid-users at lists.squid-cache.org
>>> <mailto:squid-users at lists.squid-cache.org>>
>>> > Sent: Sunday, 16 April 2017, 9:31
>>> > Subject: Re: [squid-users] HTTPS woes
>>> >
>>> >
>>> >
>>> > Thanks Amos, it's finally built but I had to disabled ecap, for
>>> whatever reason this kept failing (with version 1.0.1 installed). It
>>> failed on a reference to the Area function I think but I don't have
>>> the error message copied. I'm trying now to configure the ssl
>>> stare/peek and will let you know how it goes.
>>> >
>>> > Olly
>>> >
>>> > oliver at lennox-it.uk <mailto:oliver at lennox-it.uk>
>>> > lennox-it.uk
>>> > tel: 07900 648 252
>>> >
>>> >
>>> >
>>> > ________________________________
>>> > From: Amos Jeffries <squid3 at treenet.co.nz
>>> <mailto:squid3 at treenet.co.nz>>
>>> > To: squid-users at lists.squid-cache.org
>>> <mailto:squid-users at lists.squid-cache.org>
>>> > Sent: Saturday, 15 April 2017, 23:07
>>> > Subject: Re: [squid-users] HTTPS woes
>>> >
>>> >
>>> >
>>> > On 15/04/2017 9:59 a.m., Olly Lennox wrote:
>>> >> Hi Guys.
>>> >> I'm still struggling with this. I'm trying to build a version of
>>> 3.5 but I just can't get it to work. I'm currently attempting to
>>> rebuild the stretch package with SSL enabled but build keeps failing
>>> with the following:
>>> >> ../../src/ssl/gadgets.h:83:45: error: âCRYPTO_LOCK_X509â was not
>>> declared in this scope typedef LockingPointer<X509, X509_free_cpp,
>>> CRYPTO_LOCK_X509> X509_Pointer;
>>> ^~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:83:61: error: template
>>> argument 3 is invalid typedef LockingPointer<X509, X509_free_cpp,
>>> CRYPTO_LOCK_X509> X509_Pointer;
>>> ^../../src/ssl/gadgets.h:89:53: error:
>>> âCRYPTO_LOCK_EVP_PKEYâ was not declared in this scope typedef
>>> LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, CRYPTO_LOCK_EVP_PKEY>
>>> EVP_PKEY_Pointer;
>>> ^~~~~~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:89:73: error: template
>>> argument 3 is invalid typedef LockingPointer<EVP_PKEY,
>>> EVP_PKEY_free_cpp, CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;
>>>
>>> ^../../src/ssl/gadgets.h:116:43: error: âCRYPTO_LOCK_SSLâ was not
>>> declared in this scope typedef LockingPointer<SSL, SSL_free_cpp,
>>> CRYPTO_LOCK_SSL> SSL_Pointer;
>>> ^~~~~~~~~~~~~~~../../src/ssl/gadgets.h:116:58: error: template
>>> argument 3 is invalid typedef LockingPointer<SSL, SSL_free_cpp,
>>> CRYPTO_LOCK_SSL> SSL_Pointer;
>>> ^
>>> >> Any ideas?
>>> >
>>> >
>>> > On Jesse/stable:
>>> >
>>> > apt-get build-dep squid3
>>> > apt-get install libss-dev
>>> >
>>> >
>>> > On stretch/testing/unstable:
>>> >
>>> > apt-get build-dep squid
>>> > apt-get install libss1.0-dev
>>> >
>>> >
>>> > That should do it for you.
>>> >
>>> > Amos
>>> >
>>> >
>>> > _______________________________________________
>>> > squid-users mailing list
>>> > squid-users at lists.squid-cache.org
>>> <mailto:squid-users at lists.squid-cache.org>
>>> > http://lists.squid-cache.org/listinfo/squid-users
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > squid-users mailing list
>>> > squid-users at lists.squid-cache.org
>>> <mailto:squid-users at lists.squid-cache.org>
>>> > http://lists.squid-cache.org/listinfo/squid-users
>>>
>>> > _______________________________________________
>>> > squid-users mailing list
>>> > squid-users at lists.squid-cache.org
>>> <mailto:squid-users at lists.squid-cache.org>
>>> > http://lists.squid-cache.org/listinfo/squid-users
>>>
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> <mailto:squid-users at lists.squid-cache.org>
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>>
>>
>>
>>
>
> --
> Bugs to the Future
>
>
--
Bugs to the Future
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170418/a588205a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170418/a588205a/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170418/a588205a/attachment-0001.sig>
More information about the squid-users
mailing list