[squid-users] Squid not coming up with dynamic host certificate on ssl bum

Wed Jan 30 07:11:08 UTC 2019

Have squid in transparent, want to ssl bump all the connections which are
not whitelisted, but when given *generate-host-certificates=on , *squid
keeps crashing when trying to bring it up after service restart.

*/var/log/messages*

Jan 30 07:05:52 ban-squid-proxy22 squid[23323]: Squid Parent: (squid-1)
process 23441 started

Jan 30 07:05:52 ban-squid-proxy22 (squid-1): The ssl_crtd helpers are
crashing too rapidly, need help!

Jan 30 07:05:52 ban-squid-proxy22 squid[23323]: Squid Parent: (squid-1)
process 23441 exited with status 1

Jan 30 07:05:52 ban-squid-proxy22 squid[23397]: Squid Parent: (squid-1)
process 23449 started

Jan 30 07:05:52 ban-squid-proxy22 (squid-1): The ssl_crtd helpers are
crashing too rapidly, need help!

Jan 30 07:05:52 ban-squid-proxy22 squid[23397]: Squid Parent: (squid-1)
process 23449 exited with status 1

*squid.conf details:*

visible_hostname squid

cache deny all

#Handling HTTP requests

http_port 3128 intercept

acl allowed_http_sites dstdomain .amazonaws.com .bbc.com

acl blacklist url_regex -i /.(.*?)

#acl allowed_http_sites dstdomain [you can add other domains to permit]

http_access allow allowed_http_sites

http_access deny blacklist

#Handling HTTPS requests

#https_port 3130 cert=/etc/pki/tls/certs/squidCA.pem ssl-bump intercept

#/root/openssl/squid.crt  squid.csr  /root/openssl/squid.key

*https_port 3130 cert=/root/openssl/squid.crt key=/root/openssl/squid.key
ssl-bump intercept generate-host-certificates=on version=1
options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE*

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB

acl SSL_port port 443

http_access allow SSL_port

acl allowed_https_sites ssl::server_name .amazonaws.com .cnn.com .yahoo.com
.bbc.com

acl step1 at_step SslBump1

acl step2 at_step SslBump2

acl step3 at_step SslBump3

ssl_bump peek step1 all

#ssl_bump peek all

ssl_bump splice step2 allowed_https_sites

ssl_bump splice step3 allowed_https_sites

ssl_bump bump step2 all

http_access deny all

coredump_dir /var/cache/squid

*Command to generate SSL certificate:*

sudo openssl genrsa -out squid.key 2048
sudo openssl req -new -key squid.key -out squid.csr -subj
"/C=XX/ST=XX/L=squid/O=squid/CN=squid"
sudo openssl x509 -req -days 3650 -in squid.csr -signkey squid.key -out
squid.crt

*Squid and OS version:*

squid -v

Squid Cache: Version 3.5.28

Service Name: squid

This binary uses OpenSSL 1.0.1e-fips 11 Feb 2013. For legal restrictions on
distribution see https://www.openssl.org/source/license.html

configure options:  '--prefix=/usr' '--includedir=/usr/include'
'--datadir=/usr/share' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid'
'--localstatedir=/var' '--sysconfdir=/etc/squid'
'--with-logdir=/var/log/squid' '--with-openssl' '--enable-ssl-crtd'
--enable-ltdl-convenience

[c5278791 at ban-squid-proxy22 ~]$ cat /etc/redhat-release

CentOS release 6.10 (Final)

[c5278791 at ban-squid-proxy22 ~]$

Please let me know.

Thanks!
-Bandeep
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190129/239c646c/attachment-0001.html>