[squid-users] sslcrtvalidator_program

Mon Jan 18 16:53:43 UTC 2021

Hey Alex,

I have tried to read the documentation and to compose a single certificate validation "call" or "request".
The issue with this is that I am unable to do that.
It would help a lot if a single verification request would be public and available to me and maybe others.
The example shows:
0 cert_validate 1519 host=dmz.example-domain.com
cert_0=-----BEGIN CERTIFICATE-----
MIID+DCCA2GgAwIBAgIJAIDcHRUxB2O4MA0GCSqGSIb3DQEBBAUAMIGvMQswCQYD
...
YpVJGt5CJuNfCcB/
-----END CERTIFICATE-----
error_name_0=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
error_cert_0=cert0

so where ix the 0x01 byte and where are the new lines?
Maybe it's written but I do not see it like in the examples of the external_acl helpres.
My assumption for now is that:
## START
0 cert_validate 1519 host=dmz.example-domain.com0x01
cert_0=-----BEGIN CERTIFICATE-----0x01
MIID+DCCA2GgAwIBAgIJAIDcHRUxB2O4MA0GCSqGSIb3DQEBBAUAMIGvMQswCQYD0x01
...
YpVJGt5CJuNfCcB/0x01
-----END CERTIFICATE-----0x01
error_name_0=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT0x01
error_cert_0=cert0\n
## END

I am pretty sure I am wrong since the helper I wrote doesn't work.

In bash I thing I can use the next echo:
echo -n -e 'test\x01'

to emulate it but I still don't get it right.

Hope for a hint about the subject.

Thanks,
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com
Zoom: Coming soon

-----Original Message-----
From: Alex Rousskov <rousskov at measurement-factory.com> 
Sent: Monday, December 14, 2020 9:05 PM
To: squid-users at lists.squid-cache.org
Cc: Eliezer Croitor <ngtech1ltd at gmail.com>
Subject: Re: [squid-users] sslcrtvalidator_program

On 12/14/20 1:55 PM, Eliezer Croitor wrote:

> We can use this as an example for a single transaction in the wiki:
> https://gist.githubusercontent.com/elico/a0397c879776336eeae569317015edc1/raw/b34dff8ece76e480007a950655efff3564afcccc/cache.log

> Let me know if it's enough to document this subject.

I am not sure I understand your question -- the format is already
documented. If you think that attaching an example of a raw helper
request to that wiki page would help others, please feel free to do so!
Just avoid the implication that all helper requests would have the same
set of fields.

Alex.

> -----Original Message-----
> From: Alex Rousskov <rousskov at measurement-factory.com> 
> Sent: Monday, December 14, 2020 6:42 PM
> To: squid-users at lists.squid-cache.org
> Cc: Eliezer Croitor <ngtech1ltd at gmail.com>
> Subject: Re: [squid-users] sslcrtvalidator_program
> 
> On 12/14/20 4:26 AM, Eliezer Croitor wrote:
>> So starts with:
>> 0 cert_validate... line
> 
>> And ends with?:
>> error_name_0=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
>> error_cert_0=cert0
>> ?
> 
> No. The size of the key=value block is specified on the first request
> line. Please try to follow documentation that Amos has pointed you to:
> https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator
> 
> If that documentation is missing some details, we should fix it.
> 
> 
> 
>> I am unsure, let me try to re-read this section.
>> I am missing a fake helper for this..
>> And a "real world" full example.
> 
>> Can someone simulate it for me?
> 
> Glad you found
> src/security/cert_validators/fake/security_fake_certverify.pl.in. I hope
> it still works!
> 
> 
> HTH,
> 
> Alex.
> 
> 
>> -----Original Message-----
>> From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Amos Jeffries
>> Sent: Monday, December 14, 2020 10:15 AM
>> To: squid-users at lists.squid-cache.org
>> Subject: Re: [squid-users] sslcrtvalidator_program
>>
>> On 14/12/20 9:11 am, Eliezer Croitor wrote:
>>> I am trying to understand the way the sslcrtvalidator_program  works.
>>> I am pretty sure I have asked this in the past but didn’t found it for some
>>> reason.
>>>
>>> I want to read line by line so.
>>> /^-----BEGIN CERTIFICATE-----$/
>>> ***
>>> /^-----END CERTIFICATE-----$/
>>>
>>> What else should I look for? I was thinking about validating with some extra
>>> values in the request, for example ip/domain:port and sni.
>>> Are these available in some way?
>>
>>
>> The details you need are all here:
>>
>>  
>> <https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator>
>>
>> Notice that it receives chains of certificates - maybe several, and/or 
>> out of order. Whatever the client sends.
>>
>>
>> Amos
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
> 