[squid-users] sslcrtvalidator_program

Mon Dec 14 19:31:22 UTC 2020

On 12/14/20 2:15 PM, Eliezer Croitor wrote:

> I wrote a simple ruby helper but squid claims it crashes rapidly.

> Since probably nobody else is willing to do some pipelining job I
> assume it's on me...

> I understand what you are saying/writing but from what I see some in
> the market do not want to pay.

I am sorry, but you lost me here. I do not understand the connection
between your earlier questions (which Amos and I tried to answer) and
the above statements.

Alex.

> -----Original Message-----
> From: Alex Rousskov <rousskov at measurement-factory.com> 
> Sent: Monday, December 14, 2020 9:05 PM
> To: squid-users at lists.squid-cache.org
> Cc: Eliezer Croitor <ngtech1ltd at gmail.com>
> Subject: Re: [squid-users] sslcrtvalidator_program
> 
> On 12/14/20 1:55 PM, Eliezer Croitor wrote:
> 
>> We can use this as an example for a single transaction in the wiki:
>> https://gist.githubusercontent.com/elico/a0397c879776336eeae569317015edc1/raw/b34dff8ece76e480007a950655efff3564afcccc/cache.log
> 
>> Let me know if it's enough to document this subject.
> 
> I am not sure I understand your question -- the format is already
> documented. If you think that attaching an example of a raw helper
> request to that wiki page would help others, please feel free to do so!
> Just avoid the implication that all helper requests would have the same
> set of fields.
> 
> Alex.
> 
> 
>> -----Original Message-----
>> From: Alex Rousskov <rousskov at measurement-factory.com> 
>> Sent: Monday, December 14, 2020 6:42 PM
>> To: squid-users at lists.squid-cache.org
>> Cc: Eliezer Croitor <ngtech1ltd at gmail.com>
>> Subject: Re: [squid-users] sslcrtvalidator_program
>>
>> On 12/14/20 4:26 AM, Eliezer Croitor wrote:
>>> So starts with:
>>> 0 cert_validate... line
>>
>>> And ends with?:
>>> error_name_0=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
>>> error_cert_0=cert0
>>> ?
>>
>> No. The size of the key=value block is specified on the first request
>> line. Please try to follow documentation that Amos has pointed you to:
>> https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator
>>
>> If that documentation is missing some details, we should fix it.
>>
>>
>>
>>> I am unsure, let me try to re-read this section.
>>> I am missing a fake helper for this..
>>> And a "real world" full example.
>>
>>> Can someone simulate it for me?
>>
>> Glad you found
>> src/security/cert_validators/fake/security_fake_certverify.pl.in. I hope
>> it still works!
>>
>>
>> HTH,
>>
>> Alex.
>>
>>
>>> -----Original Message-----
>>> From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Amos Jeffries
>>> Sent: Monday, December 14, 2020 10:15 AM
>>> To: squid-users at lists.squid-cache.org
>>> Subject: Re: [squid-users] sslcrtvalidator_program
>>>
>>> On 14/12/20 9:11 am, Eliezer Croitor wrote:
>>>> I am trying to understand the way the sslcrtvalidator_program  works.
>>>> I am pretty sure I have asked this in the past but didn’t found it for some
>>>> reason.
>>>>
>>>> I want to read line by line so.
>>>> /^-----BEGIN CERTIFICATE-----$/
>>>> ***
>>>> /^-----END CERTIFICATE-----$/
>>>>
>>>> What else should I look for? I was thinking about validating with some extra
>>>> values in the request, for example ip/domain:port and sni.
>>>> Are these available in some way?
>>>
>>>
>>> The details you need are all here:
>>>
>>>  
>>> <https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator>
>>>
>>> Notice that it receives chains of certificates - maybe several, and/or 
>>> out of order. Whatever the client sends.
>>>
>>>
>>> Amos
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>
> 