[squid-users] sslcrtvalidator_program
Alex Rousskov
rousskov at measurement-factory.com
Mon Jan 18 18:39:53 UTC 2021
On 1/18/21 11:53 AM, Eliezer Croitoru wrote:
> I have tried to read the documentation and to compose a single certificate validation "call" or "request".
> It would help a lot if a single verification request would be public and available to me and maybe others.
As I said, please feel free to add that example to the wiki. I do not
have one, but you should be able to collect a sample using strace or
helper debugging.
> The example shows:
> 0 cert_validate 1519 host=dmz.example-domain.com
> cert_0=-----BEGIN CERTIFICATE-----
> MIID+DCCA2GgAwIBAgIJAIDcHRUxB2O4MA0GCSqGSIb3DQEBBAUAMIGvMQswCQYD
> ...
> YpVJGt5CJuNfCcB/
> -----END CERTIFICATE-----
> error_name_0=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
> error_cert_0=cert0
> so where ix the 0x01 byte
I have not checked carefully, but I do not think the 0x01 delimiter is
used for certificate generation or validation requests. Their framing
should be size-based, not EOM-delimiter based -- it does not make sense
to use both at once! If you can confirm that suspicion, you should fix
Squid wiki accordingly.
> and where are the new lines?
Probably where you see them in the sample.
> Hope for a hint about the subject.
You should be able to collect it using strace or by adding debugging to
a test helper that simply prints everything it receives, using, say,
c-string escapes or URL encoding for any special character.
HTH,
Alex.
> -----Original Message-----
> From: Alex Rousskov <rousskov at measurement-factory.com>
> Sent: Monday, December 14, 2020 9:05 PM
> To: squid-users at lists.squid-cache.org
> Cc: Eliezer Croitor <ngtech1ltd at gmail.com>
> Subject: Re: [squid-users] sslcrtvalidator_program
>
> On 12/14/20 1:55 PM, Eliezer Croitor wrote:
>
>> We can use this as an example for a single transaction in the wiki:
>> https://gist.githubusercontent.com/elico/a0397c879776336eeae569317015edc1/raw/b34dff8ece76e480007a950655efff3564afcccc/cache.log
>
>> Let me know if it's enough to document this subject.
>
> I am not sure I understand your question -- the format is already
> documented. If you think that attaching an example of a raw helper
> request to that wiki page would help others, please feel free to do so!
> Just avoid the implication that all helper requests would have the same
> set of fields.
>
> Alex.
>
>
>> -----Original Message-----
>> From: Alex Rousskov <rousskov at measurement-factory.com>
>> Sent: Monday, December 14, 2020 6:42 PM
>> To: squid-users at lists.squid-cache.org
>> Cc: Eliezer Croitor <ngtech1ltd at gmail.com>
>> Subject: Re: [squid-users] sslcrtvalidator_program
>>
>> On 12/14/20 4:26 AM, Eliezer Croitor wrote:
>>> So starts with:
>>> 0 cert_validate... line
>>
>>> And ends with?:
>>> error_name_0=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
>>> error_cert_0=cert0
>>> ?
>>
>> No. The size of the key=value block is specified on the first request
>> line. Please try to follow documentation that Amos has pointed you to:
>> https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator
>>
>> If that documentation is missing some details, we should fix it.
>>
>>
>>
>>> I am unsure, let me try to re-read this section.
>>> I am missing a fake helper for this..
>>> And a "real world" full example.
>>
>>> Can someone simulate it for me?
>>
>> Glad you found
>> src/security/cert_validators/fake/security_fake_certverify.pl.in. I hope
>> it still works!
>>
>>
>> HTH,
>>
>> Alex.
>>
>>
>>> -----Original Message-----
>>> From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Amos Jeffries
>>> Sent: Monday, December 14, 2020 10:15 AM
>>> To: squid-users at lists.squid-cache.org
>>> Subject: Re: [squid-users] sslcrtvalidator_program
>>>
>>> On 14/12/20 9:11 am, Eliezer Croitor wrote:
>>>> I am trying to understand the way the sslcrtvalidator_program works.
>>>> I am pretty sure I have asked this in the past but didn’t found it for some
>>>> reason.
>>>>
>>>> I want to read line by line so.
>>>> /^-----BEGIN CERTIFICATE-----$/
>>>> ***
>>>> /^-----END CERTIFICATE-----$/
>>>>
>>>> What else should I look for? I was thinking about validating with some extra
>>>> values in the request, for example ip/domain:port and sni.
>>>> Are these available in some way?
>>>
>>>
>>> The details you need are all here:
>>>
>>>
>>> <https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator>
>>>
>>> Notice that it receives chains of certificates - maybe several, and/or
>>> out of order. Whatever the client sends.
>>>
>>>
>>> Amos
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
More information about the squid-users
mailing list