[squid-users] sslcrtvalidator_program

Eliezer Croitor ngtech1ltd at gmail.com
Mon Dec 14 18:55:55 UTC 2020


Seems to work:
This one output stream.
We can use this as an example for a single transaction in the wiki:
https://gist.githubusercontent.com/elico/a0397c879776336eeae569317015edc1/raw/b34dff8ece76e480007a950655efff3564afcccc/cache.log

Let me know if it's enough to document this subject.

Thanks,
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il

-----Original Message-----
From: Alex Rousskov <rousskov at measurement-factory.com> 
Sent: Monday, December 14, 2020 6:42 PM
To: squid-users at lists.squid-cache.org
Cc: Eliezer Croitor <ngtech1ltd at gmail.com>
Subject: Re: [squid-users] sslcrtvalidator_program

On 12/14/20 4:26 AM, Eliezer Croitor wrote:
> So starts with:
> 0 cert_validate... line

> And ends with?:
> error_name_0=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
> error_cert_0=cert0
> ?

No. The size of the key=value block is specified on the first request
line. Please try to follow documentation that Amos has pointed you to:
https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator

If that documentation is missing some details, we should fix it.



> I am unsure, let me try to re-read this section.
> I am missing a fake helper for this..
> And a "real world" full example.

> Can someone simulate it for me?

Glad you found
src/security/cert_validators/fake/security_fake_certverify.pl.in. I hope
it still works!


HTH,

Alex.


> -----Original Message-----
> From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Amos Jeffries
> Sent: Monday, December 14, 2020 10:15 AM
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] sslcrtvalidator_program
> 
> On 14/12/20 9:11 am, Eliezer Croitor wrote:
>> I am trying to understand the way the sslcrtvalidator_program  works.
>> I am pretty sure I have asked this in the past but didn’t found it for some
>> reason.
>>
>> I want to read line by line so.
>> /^-----BEGIN CERTIFICATE-----$/
>> ***
>> /^-----END CERTIFICATE-----$/
>>
>> What else should I look for? I was thinking about validating with some extra
>> values in the request, for example ip/domain:port and sni.
>> Are these available in some way?
> 
> 
> The details you need are all here:
> 
>  
> <https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator>
> 
> Notice that it receives chains of certificates - maybe several, and/or 
> out of order. Whatever the client sends.
> 
> 
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 




More information about the squid-users mailing list