[squid-users] HTTPS woes

Amos Jeffries squid3 at treenet.co.nz
Wed Apr 19 04:21:53 UTC 2017 

Olly,  Debian provides a ca-certificates package containing the Mozilla 
CA list. It is updated whenever the CA set changes. Though of course you 
should have apt connected to the relevant security repository 
(jesse-security?) for regular updates.


Amos

On 19/04/17 03:10, Olly Lennox wrote:
> Would you mind sharing the script you use?
> oliver at lennox-it.uk
> lennox-it.uk <http://lennox-it.uk/>
> tel: 07900 648 252
>
>
> ------------------------------------------------------------------------
> *From:* Yuri Voinov <yvoinov at gmail.com>
> *To:* Olly Lennox <oliver at lennox-it.uk>; 
> "squid-users at lists.squid-cache.org" <squid-users at lists.squid-cache.org>
> *Sent:* Tuesday, 18 April 2017, 16:00
> *Subject:* Re: [squid-users] HTTPS woes
>
> I have automated cron job to refresh Mozilla CA's bundle by monthly basis.
> Intermediate CA's, however, requires non-scheduled maintenance. I've 
> maintain it by demand.
>
> 18.04.2017 20:17, Olly Lennox пишет:
>> Thanks Yuri! The Mozilla Bundle has worked!! Most of the major sites 
>> seem to be working which is all we need. How often do these 
>> certificates refresh? Would they need updating every month or so?
>> oliver at lennox-it.uk <mailto:oliver at lennox-it.uk>
>> lennox-it.uk <http://lennox-it.uk/>
>> tel: 07900 648 252
>>
>>
>> ------------------------------------------------------------------------
>> *From:* Yuri Voinov <yvoinov at gmail.com> <mailto:yvoinov at gmail.com>
>> *To:* Olly Lennox <oliver at lennox-it.uk> <mailto:oliver at lennox-it.uk>; 
>> "squid-users at lists.squid-cache.org" 
>> <mailto:squid-users at lists.squid-cache.org> 
>> <squid-users at lists.squid-cache.org> 
>> <mailto:squid-users at lists.squid-cache.org>
>> *Sent:* Tuesday, 18 April 2017, 14:43
>> *Subject:* Re: [squid-users] HTTPS woes
>>
>> You talked about two different things.
>> 1. root CA usually built-in in clients. For standalone use, root CA 
>> (from Mozilla) usually distributes with openssl distributions. If you 
>> need (or your openssl distribution does not contains root CAs), you 
>> can find separately distributed Mozilla CA's by short googling:
>> https://www.google.com/search?q=Mozilla+CA+bundle
>> 2. Intermediate CA's is subordinate for roots CA. It does not exists 
>> by gouverned repository (because of supporting it is work, manual 
>> work and should be do by somebody), moreover, it spreaded across CA 
>> authorities. There is no automated tool to support this 
>> _intermediate_list. The problem also: intermediate CA's usuallu has 
>> much short validity period instead of roots, and should supports all 
>> time at time.
>> Finally - it you want to use Squid with SSL Bump, you should 
>> understand PKI infrastructure and yes - you should support root CA & 
>> intermediate CAs on proxy by yourself all time. There is no free or 
>> payment basis service which is do it for you.
>>
>> 18.04.2017 19:35, Olly Lennox пишет:
>>> So anyone who wants to use Squid over HTTPS in the way has to build 
>>> this repository themselves by manually downloading all the CA bundles?
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Yuri <yvoinov at gmail.com> <mailto:yvoinov at gmail.com>
>>> *To:* Olly Lennox <oliver at lennox-it.uk> 
>>> <mailto:oliver at lennox-it.uk>; "squid-users at lists.squid-cache.org" 
>>> <mailto:squid-users at lists.squid-cache.org> 
>>> <squid-users at lists.squid-cache.org> 
>>> <mailto:squid-users at lists.squid-cache.org>
>>> *Sent:* Tuesday, 18 April 2017, 14:03
>>> *Subject:* Re: [squid-users] HTTPS woes
>>>
>>>
>>>
>>> 18.04.2017 18:56, Olly Lennox пишет:
>>>> I'm using
>>>>
>>>> sslproxy_foreign_intermediate_certs
>>>>
>>>> Is this the same thing?
>>> No. You firstly required CA roots available for squid. CA roots and 
>>> intermediate is the different things.
>>>>
>>>> Also is there anywhere to get a bundle of all the major CA 
>>>> intermdiate certs or do you have to download them all manually?
>>> No. You should build it by yourself.
>>>
>>>>
>>>> Cheers,
>>>> oliver at lennox-it.uk <mailto:oliver at lennox-it.uk>
>>>> lennox-it.uk <http://lennox-it.uk/>
>>>> tel: 07900 648 252
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>> *From:* Yuri <yvoinov at gmail.com> <mailto:yvoinov at gmail.com>
>>>> *To:* squid-users at lists.squid-cache.org 
>>>> <mailto:squid-users at lists.squid-cache.org>
>>>> *Sent:* Tuesday, 18 April 2017, 13:51
>>>> *Subject:* Re: [squid-users] HTTPS woes
>>>>
>>>> Try to specify roots CA bundle/dir explicity by specifying one of this
>>>> params:
>>>>
>>>>
>>>> #  TAG: sslproxy_cafile
>>>> #    file containing CA certificates to use when verifying server
>>>> # certificates while proxying https:// URLs
>>>> #Default:
>>>> # none
>>>>
>>>> #  TAG: sslproxy_capath
>>>> #    directory containing CA certificates to use when verifying
>>>> #    server certificates while proxying https:// URLs
>>>> #Default:
>>>> # none
>>>>
>>>>
>>>>
>>>> 18.04.2017 18:46, Olly Lennox пишет:
>>>> > Hi All,
>>>> >
>>>> > Still having problems here. This is my https config now:
>>>> >
>>>> >
>>>> > ---------------------------------https_port 3129 intercept 
>>>> ssl-bump generate-host-certificates=on 
>>>> dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squid.crt 
>>>> key=/etc/squid3/ssl_cert/squid.key options=NO_SSLv3 
>>>> dhparams=/etc/squid3/ssl_cert/dhparam.pem
>>>> >
>>>> > acl step1 at_step SslBump1
>>>> > ssl_bump peek step1
>>>> > ssl_bump bump all
>>>> > sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
>>>> > sslproxy_cipher 
>>>> EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>>>> >
>>>> > sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
>>>> > sslcrtd_children 8 startup=1 idle=1
>>>> >
>>>> > ---------------------------------
>>>> >
>>>> >
>>>> > I'm running version 3.5.23 with openssl 1.0. I've had to disable 
>>>> libecap because I couldn't build 3.5 with ecap enabled. I'm getting 
>>>> the following error when trying to connect with SSL:
>>>> >
>>>> > ---------------------------------
>>>> >
>>>> > The following error was encountered while trying to retrieve the 
>>>> URL: https://www.google.co.uk/*
>>>> >
>>>> > Failed to establish a secure connection to 216.58.198.67
>>>> >
>>>> > The system returned:
>>>> >
>>>> > (71) Protocol error (TLS code: 
>>>> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>>>> > SSL Certficate error: certificate issuer (CA) not known: 
>>>> /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
>>>> >
>>>> > This proxy and the remote host failed to negotiate a mutually 
>>>> acceptable security settings for handling your request. It is 
>>>> possible that the remote host does not support secure connections, 
>>>> or the proxy is not satisfied with the host security credentials.
>>>> >
>>>> > Your cache administrator is webmaster.
>>>> >
>>>> > Generated Tue, 18 Apr 2017 12:23:40 GMT by raspberrypi (squid/3.5.23)
>>>> > ---------------------------------
>>>> >
>>>> > The CA is always listed as not known not matter what site I try I 
>>>> always get this error.
>>>> >
>>>> > Any ideas?
>>>> >
>>>> > Thanks,
>>>> >
>>>> > Olly
>>>> >
>>>> > ________________________________
>>>> > From: Olly Lennox <oliver at lennox-it.uk <mailto:oliver at lennox-it.uk>>
>>>> > To: Amos Jeffries <squid3 at treenet.co.nz 
>>>> <mailto:squid3 at treenet.co.nz>>; "squid-users at lists.squid-cache.org 
>>>> <mailto:squid-users at lists.squid-cache.org>" 
>>>> <squid-users at lists.squid-cache.org 
>>>> <mailto:squid-users at lists.squid-cache.org>>
>>>> > Sent: Sunday, 16 April 2017, 9:31
>>>> > Subject: Re: [squid-users] HTTPS woes
>>>> >
>>>> >
>>>> >
>>>> > Thanks Amos, it's finally built but I had to disabled ecap, for 
>>>> whatever reason this kept failing (with version 1.0.1 installed). 
>>>> It failed on a reference to the Area function I think but I don't 
>>>> have the error message copied. I'm trying now to configure the ssl 
>>>> stare/peek and will let you know how it goes.
>>>> >
>>>> > Olly
>>>> >
>>>> > oliver at lennox-it.uk <mailto:oliver at lennox-it.uk>
>>>> > lennox-it.uk
>>>> > tel: 07900 648 252
>>>> >
>>>> >
>>>> >
>>>> > ________________________________
>>>> > From: Amos Jeffries <squid3 at treenet.co.nz 
>>>> <mailto:squid3 at treenet.co.nz>>
>>>> > To: squid-users at lists.squid-cache.org 
>>>> <mailto:squid-users at lists.squid-cache.org>
>>>> > Sent: Saturday, 15 April 2017, 23:07
>>>> > Subject: Re: [squid-users] HTTPS woes
>>>> >
>>>> >
>>>> >
>>>> > On 15/04/2017 9:59 a.m., Olly Lennox wrote:
>>>> >> Hi Guys.
>>>> >> I'm still struggling with this. I'm trying to build a version of 
>>>> 3.5 but I just can't get it to work. I'm currently attempting to 
>>>> rebuild the stretch package with SSL enabled but build keeps 
>>>> failing with the following:
>>>> >> ../../src/ssl/gadgets.h:83:45: error: âCRYPTO_LOCK_X509â was not 
>>>> declared in this scope typedef LockingPointer<X509, X509_free_cpp, 
>>>> CRYPTO_LOCK_X509> X509_Pointer; 
>>>> ^~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:83:61: error: template 
>>>> argument 3 is invalid typedef LockingPointer<X509, X509_free_cpp, 
>>>> CRYPTO_LOCK_X509> X509_Pointer; ^../../src/ssl/gadgets.h:89:53: 
>>>> error: âCRYPTO_LOCK_EVP_PKEYâ was not declared in this scope 
>>>> typedef LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, 
>>>> CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer; 
>>>> ^~~~~~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:89:73: error: template 
>>>> argument 3 is invalid typedef LockingPointer<EVP_PKEY, 
>>>> EVP_PKEY_free_cpp, CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer; 
>>>> ^../../src/ssl/gadgets.h:116:43: error: âCRYPTO_LOCK_SSLâ was not 
>>>> declared in this scope typedef LockingPointer<SSL, SSL_free_cpp, 
>>>> CRYPTO_LOCK_SSL> SSL_Pointer; 
>>>> ^~~~~~~~~~~~~~~../../src/ssl/gadgets.h:116:58: error: template 
>>>> argument 3 is invalid typedef LockingPointer<SSL, SSL_free_cpp, 
>>>> CRYPTO_LOCK_SSL> SSL_Pointer;     ^
>>>> >> Any ideas?
>>>> >
>>>> >
>>>> > On Jesse/stable:
>>>> >
>>>> > apt-get build-dep squid3
>>>> > apt-get install libss-dev
>>>> >
>>>> >
>>>> > On stretch/testing/unstable:
>>>> >
>>>> > apt-get build-dep squid
>>>> > apt-get install libss1.0-dev
>>>> >
>>>> >
>>>> > That should do it for you.
>>>> >
>>>> > Amos
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > squid-users mailing list
>>>> > squid-users at lists.squid-cache.org 
>>>> <mailto:squid-users at lists.squid-cache.org>
>>>> > http://lists.squid-cache.org/listinfo/squid-users
>>>> >
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > squid-users mailing list
>>>> > squid-users at lists.squid-cache.org 
>>>> <mailto:squid-users at lists.squid-cache.org>
>>>> > http://lists.squid-cache.org/listinfo/squid-users
>>>>
>>>> > _______________________________________________
>>>> > squid-users mailing list
>>>> > squid-users at lists.squid-cache.org 
>>>> <mailto:squid-users at lists.squid-cache.org>
>>>> > http://lists.squid-cache.org/listinfo/squid-users
>>>>
>>>>
>>>> _______________________________________________
>>>> squid-users mailing list
>>>> squid-users at lists.squid-cache.org 
>>>> <mailto:squid-users at lists.squid-cache.org>
>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>
>>>>
>>>
>>>
>>>
>>
>> -- 
>> Bugs to the Future
>>
>>
>
> -- 
> Bugs to the Future
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170419/17159c1c/attachment-0001.html>

More information about the squid-users mailing list