[squid-users] squid 4.1 transparent https issue "curl: (60) SSL certificate problem: self signed certificate in certificate chain"

Berger J Nicklas nicklas.berger at scania.com
Thu Nov 21 08:21:57 UTC 2019 

A colleague provided this squid.conf and now https working fine with curl as well!

visible_hostname localhost

# Handling HTTP requests
http_port 3128
http_port 3129 intercept

acl allowed_http_sites dstdomain .microsoft.com
acl allowed_http_sites dstdomain .google.com
acl allowed_http_sites dstdomain .redhat.com


http_access allow allowed_http_sites

# Handling HTTPS requests
acl SSL_port port 443
http_access allow SSL_port

acl allowed_https_sites ssl::server_name .microsoft.com
acl allowed_https_sites ssl::server_name .google.com
acl allowed_https_sites ssl::server_name .redhat.com

https_port 3130 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump peek step1 all
ssl_bump peek step2 allowed_https_sites
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate

http_access deny all
________________________________
From: squid-users <squid-users-bounces at lists.squid-cache.org> on behalf of Alex Rousskov <rousskov at measurement-factory.com>
Sent: Wednesday, November 20, 2019 17:43
To: squid-users at lists.squid-cache.org <squid-users at lists.squid-cache.org>
Subject: Re: [squid-users] squid 4.1 transparent https issue "curl: (60) SSL certificate problem: self signed certificate in certificate chain"

On 11/20/19 3:31 AM, Berger J Nicklas wrote:

> squid 4.1

Start by upgrading to the latest Squid v4 available.


> curl: (60) SSL certificate problem: self signed certificate in
> certificate chain

What was Squid trying to tell curl? Was Squid sending an error response?
Tell curl to run --insecure to find out what happened.


> security_file_certgen helper database '/var/spool/squid/ssl_db' failed:
> Failed to open file /var/spool/squid/ssl_db/index.txt

You should fix this. Perhaps you did not initialize the database (see
"man security_file_certgen")? Or perhaps the permissions are wrong
(checks them using something like "ls -Rla /var/spool/squid/ssl_db")?

> acl allowed_http_sites dstdomain .microsoft.com
> acl allowed_http_sites dstdomain .google.com
> acl allowed_http_sites dstdomain .redhat.com

> http_access allow allowed_http_sites Safe_ports

This allows CONNECT to port 80, which is probably not what you want. See
squid.conf.default for the recommended layout of https_access rules.


> #SSL Settings
> acl allowed_https_sites dstdomain .microsoft.com

Do not add one site twice.


> http_access allow CONNECT allowed_https_sites

This allows CONNECT to any port of the allowed_https_sites. See
squid.conf.default for the recommended layout of https_access rules.


> options=SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=/etc/squid/dhparam.pem

A copy-paste typo? There is no "options=..." directive.


> http_access deny all
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports

The last two lines are unreachable. You probably want to review how
http_access (and most other) ACL-driven directives work, including the
"first match ends the search" rule.

> ssl_bump peek step1 all
> ssl_bump peek step2 allowed_https_sites
> ssl_bump splice step2 allowed_https_sites
> ssl_bump splice step3 allowed_https_sites
> ssl_bump terminate step2 all
> ssl_bump bump all

To learn how ssl_bump rules work, please see
https://wiki.squid-cache.org/Features/SslPeekAndSplice

AFAICT, the above rules are equivalent to:

  ssl_bump peek step1
  ssl_bump peek step2 allowed_https_sites
  ssl_bump terminate step2
  ssl_bump splice all

or, roughly speaking, "splice allowed_https_sites (after peeking at
their server) and terminate everything else (ASAP)"

... which is rather different from what the original rules may have
tried to accomplish (whatever that was).


HTH,

Alex.
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20191121/ef12b2bc/attachment-0001.html>

More information about the squid-users mailing list