[squid-users] Squid 4 ssl_bump issue

Davide Belloni davide.belloni at gmail.com
Fri Apr 5 06:54:08 UTC 2019 

Hi,
the setup is exactly what you suggested but still the ERROR shows up.
Here the startup sequence about context creation:

2019/04/05 06:29:48.050| Initializing https:// proxy context
2019/04/05 06:29:48.050| 24,8| SBuf.cc(38) SBuf: SBuf950 created from id
SBuf110
2019/04/05 06:29:48.050| 24,8| Tokenizer.cc(174) skip: skipping char '1'
2019/04/05 06:29:48.050| 24,5| Tokenizer.cc(25) consume: consuming 1 bytes
2019/04/05 06:29:48.050| 24,8| SBuf.cc(497) consume: SBuf950 consume 1
2019/04/05 06:29:48.050| 24,8| SBuf.cc(38) SBuf: SBuf951 created from id
SBuf950
2019/04/05 06:29:48.050| 24,8| SBuf.cc(70) ~SBuf: SBuf951 destructed
2019/04/05 06:29:48.050| 24,8| Tokenizer.cc(174) skip: skipping char '.'
2019/04/05 06:29:48.050| 24,5| Tokenizer.cc(25) consume: consuming 1 bytes
2019/04/05 06:29:48.050| 24,8| SBuf.cc(497) consume: SBuf950 consume 1
2019/04/05 06:29:48.050| 24,8| SBuf.cc(38) SBuf: SBuf952 created from id
SBuf950
2019/04/05 06:29:48.050| 24,8| SBuf.cc(70) ~SBuf: SBuf952 destructed
2019/04/05 06:29:48.050| 24,8| SBuf.cc(38) SBuf: SBuf953 created from id
SBuf950
2019/04/05 06:29:48.050| 24,5| Tokenizer.cc(25) consume: consuming 1 bytes
2019/04/05 06:29:48.050| 24,8| SBuf.cc(497) consume: SBuf950 consume 1
2019/04/05 06:29:48.050| 24,8| SBuf.cc(38) SBuf: SBuf954 created from id
SBuf950
2019/04/05 06:29:48.050| 24,8| SBuf.cc(70) ~SBuf: SBuf954 destructed
2019/04/05 06:29:48.050| 24,8| SBuf.cc(70) ~SBuf: SBuf953 destructed
2019/04/05 06:29:48.050| 24,8| SBuf.cc(70) ~SBuf: SBuf950 destructed
2019/04/05 06:29:48.051| 83,9| support.cc(586) InitClientContext: Setting
certificate verification callback.
2019/04/05 06:29:48.051| 83,8| PeerOptions.cc(647) updateContextCa: Setting
CA certificate locations.
2019/04/05 06:29:48.051| 83,8| PeerOptions.cc(630) loadSystemTrustedCa:
Setting default system Trusted CA. ctx=0x55dcadedcd20
2019/04/05 06:29:48.052| 24,8| SBuf.cc(30) SBuf: SBuf955 created
2019/04/05 06:29:48.052| 24,7| SBuf.cc(85) assign: assigning SBuf955 from
SBuf118
2019/04/05 06:29:48.052| 24,8| SBuf.cc(38) SBuf: SBuf956 created from id
SBuf955
2019/04/05 06:29:48.053| 24,8| SBuf.cc(70) ~SBuf: SBuf956 destructed
2019/04/05 06:29:48.053| 24,8| SBuf.cc(70) ~SBuf: SBuf955 destructed
2019/04/05 06:29:48.053| Initializing http_port 0.0.0.0:3128 TLS contexts
2019/04/05 06:29:48.053| Using certificate in /etc/squid/squidCA.pem
2019/04/05 06:29:48.053| 24,7| SBuf.cc(160) rawSpace: reserving 1 for
SBuf217
2019/04/05 06:29:48.053| 24,7| SBuf.cc(167) rawSpace: SBuf217 not growing
2019/04/05 06:29:48.053| 24,7| SBuf.cc(160) rawSpace: reserving 1 for
SBuf217
2019/04/05 06:29:48.053| 24,8| SBuf.cc(886) cow: SBuf217 new size:23
2019/04/05 06:29:48.053| 24,8| SBuf.cc(857) reAlloc: SBuf217 new size: 23
2019/04/05 06:29:48.054| 24,9| MemBlob.cc(56) MemBlob: constructed,
this=0x55dcadedd7c0 id=blob1225 reserveSize=23
2019/04/05 06:29:48.054| 24,8| MemBlob.cc(101) memAlloc: blob1225 memAlloc:
requested=23, received=40
2019/04/05 06:29:48.054| 24,7| SBuf.cc(865) reAlloc: SBuf217 new store
capacity: 40
2019/04/05 06:29:48.054| 83,3| KeyData.cc(105) loadX509ChainFromFile: Using
certificate chain in /etc/squid/squidCA.pem
2019/04/05 06:29:48.054| 83,3| KeyData.cc(123) loadX509ChainFromFile:
Adding issuer CA: /CN=nobody
2019/04/05 06:29:48.054| Using key in /etc/squid/squidCA.pem
2019/04/05 06:29:48.054| 24,7| SBuf.cc(160) rawSpace: reserving 1 for
SBuf218
2019/04/05 06:29:48.054| 24,8| SBuf.cc(886) cow: SBuf218 new size:23
2019/04/05 06:29:48.054| 24,8| SBuf.cc(857) reAlloc: SBuf218 new size: 23
2019/04/05 06:29:48.054| 24,9| MemBlob.cc(56) MemBlob: constructed,
this=0x55dcadef07f0 id=blob1226 reserveSize=23
2019/04/05 06:29:48.054| 24,8| MemBlob.cc(101) memAlloc: blob1226 memAlloc:
requested=23, received=40
2019/04/05 06:29:48.054| 24,9| MemBlob.cc(82) ~MemBlob: destructed,
this=0x55dcaddf6c30 id=blob554 capacity=40 size=23
2019/04/05 06:29:48.054| 24,7| SBuf.cc(865) reAlloc: SBuf218 new store
capacity: 40
2019/04/05 06:29:48.054| 83,8| PeerOptions.cc(647) updateContextCa: Setting
CA certificate locations.
2019/04/05 06:29:48.054| 83,9| ServerOptions.cc(444) updateContextClientCa:
Not requiring any client certificates
2019/04/05 06:29:48.054| 24,8| SBuf.cc(30) SBuf: SBuf957 created
2019/04/05 06:29:48.054| 24,7| SBuf.cc(85) assign: assigning SBuf957 from
SBuf118
2019/04/05 06:29:48.054| 24,8| SBuf.cc(38) SBuf: SBuf958 created from id
SBuf957
2019/04/05 06:29:48.054| 24,8| SBuf.cc(70) ~SBuf: SBuf958 destructed
2019/04/05 06:29:48.054| 24,8| SBuf.cc(70) ~SBuf: SBuf957 destructed

If you want I can attach all the cache log with startup and one request
with error
Thanks


On Fri, 5 Apr 2019 at 06:23, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 5/04/19 12:37 am, Davide Belloni wrote:
> > Hi,
> > this is the certificate that I'm using at the moment:
> >
>
> AFAICS the pieces Squid-4 needs for your config and checks for are all
> there.
>
> Are the pieces correctly ordered in the .pem file? key first, then CA cert.
>
>
> >
> > On Thu, 4 Apr 2019 at 12:57, Davide Belloni wrote:
> >
> >     Hi, thanks very much for all the advices!
> >     About the action to generate the certificate I've followed the squid
> >     wiki, that doesn't modify (if I remember correctly) openssl conf to
> >     create it .
> >
> >     Do you have some link to a good howto about that?
> >
>
>
> Ah, we have several how-to's in the wiki. The SSL-Bump documentation has
> an example. The ConfigExamples section has one for self-signed root CA
> like yours, one for intermediate CA signing cert, and one for a wildcard
> domain cert.
>
> The one most relevant to what you have is:
> <
> https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit#Features.2FDynamicSslCert.Create_Self-Signed_Root_CA_Certificate
> >
>
> If this already matches what you are doing, and the PEM file content is
> correct, and that context creation ERROR still shows up. Then your next
> step would be to start Squid with the -X command line option and see if
> anything more specific about it shows up.
>  (This will produce a huge amount of debug info, but you only need the
> startup sequence where the ERROR shows up. It should not be necessary to
> send traffic until the context is working.)
>
> Amos
>


-- 

Davide Belloni
http://about.me/davidebelloni
http://www.linkedin.com/in/davidebelloni
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190405/b6fcbf8f/attachment.html>

More information about the squid-users mailing list