[squid-users] Squid 4.5 and intermediate CA

eliezer at ngtech.co.il eliezer at ngtech.co.il
Tue Jan 15 16:48:24 UTC 2019


There should be a new acl names “certificate-fetching”
So I assume you can use something like:
 
acl certfetch transaction_initiator certificate-fetching
http_access allow certfetch
 
Eliezer
 
----
 <http://ngtech.co.il/main-en/> Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email:  <mailto:eliezer at ngtech.co.il> eliezer at ngtech.co.il

 
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of FredB
Sent: Tuesday, January 15, 2019 17:59
To: squid-users at lists.squid-cache.org
Subject: [squid-users] Squid 4.5 and intermediate CA
 
Hi all,
I'm testing squid 4.5 and facing two issues with intermediate CA download 
At first there is no source IP and I don't know how to allow this kind of requests with an identification acl 
172.23.0.9 - user2 [15/Jan/2019:16:34:51 +0100] "CONNECT bugs.squid-cache.org:443 HTTP/1.1" 407 4442 447 TCP_DENIED:HIER_NONE "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" -
- - - [15/Jan/2019:16:34:51 +0100] "GET http://cert.int-x3.letsencrypt.org/ HTTP/1.1" 407 3536 0 TCP_DENIED:HIER_NONE "-" -
172.23.0.9 - user2 [15/Jan/2019:16:34:51 +0100] "CONNECT bugs.squid-cache.org:443 HTTP/1.1" 200 0 447 NONE:HIER_DIRECT "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" bump 
As you can see the request to letsencrypt is denied because a basic authentication is needed, how I can do a global ACL allow requests from squid ? I tested 127.0.0.1,local addresses but without any success 
So for testing purpose I removed my identification rules
Now Squid can get the certificate
- - - [15/Jan/2019:16:33:43 +0100] "GET http://cert.int-x3.letsencrypt.org/ HTTP/1.1" 200 9737 0 NONE:HIER_NONE "-" -
172.23.0.9 - - [15/Jan/2019:16:33:43 +0100] "CONNECT bugs.squid-cache.org:443 HTTP/1.1" 200 0 447 NONE:HIER_DIRECT "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" bump
172.23.0.9 - - [15/Jan/2019:16:33:43 +0100] "GET https://bugs.squid-cache.org/ HTTP/1.1" 503 353 349 NONE:HIER_NONE "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" -
Cache.log
ssl3_get_server_certificate:certificate verify failed (1/-1/0)
I'm missing something?
Thanks
FredB
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190115/335a0728/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 11295 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190115/335a0728/attachment-0001.png>


More information about the squid-users mailing list