<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
-----BEGIN PGP SIGNED MESSAGE----- <br>
Hash: SHA256 <br>
<br>
I think,first you can try new stage-based SSL bump with 3.5.x. To
do that you must identify problem sites.<br>
<br>
If there is no results, you can simple bypass problem sites without
bump.<br>
<br>
Whole server-first bump, on Squid 3.5.x especially, is not so good
idea, I think. Especially on provider-level proxies.<br>
<br>
09.04.15 19:09, Vdoctor пишет:<br>
<span style="white-space: pre;">> Yuri,<br>
><br>
> <br>
><br>
> So what’s next ?<br>
><br>
> Do you mean we must “do-not-ssl-bump” wrong certificats ?<br>
><br>
> And if a certificate not yet identified is requested by an
user it’ll crash the Squid ?<br>
><br>
> <br>
><br>
> Any idea how to fix that issue ?<br>
><br>
> <br>
><br>
> Thanks in advance.<br>
><br>
> Bye Fred<br>
><br>
> <br>
><br>
> De : Yuri Voinov [<a class="moz-txt-link-freetext" href="mailto:yvoinov@gmail.com">mailto:yvoinov@gmail.com</a>] <br>
> Envoyé : jeudi 9 avril 2015 15:04<br>
> À : Vdoctor; <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
> Objet : Re: ***SPAM*** Re: [squid-users] Random SSL bump DB
corruption<br>
><br>
> <br>
><br>
><br>
> - From my experience, it may occur as a result of forming the
fake certificate zero length (in the case of the SQUID can not
complete its formation for any reason).<br>
><br>
> In turn, the formation of such a certificate occurs in
particular due to any error in the code of the SQUID
characteristics or if server certificate. In particular, one of
these servers is iTunes.<br>
><br>
> 09.04.15 19:00, Vdoctor пишет:<br>
> > Yury,<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > I checked the source code (3.4/3.5) ssl_crtd, the
default<br>
><br>
> size is 2048.<br>
><br>
><br>
><br>
> > -b fs_block_size File system block size in
bytes.<br>
><br>
> Need for processing<br>
><br>
><br>
><br>
> > natural size of
certificate on disk.<br>
><br>
> Default value is<br>
><br>
><br>
><br>
> > 2048 bytes."<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > /**<br>
><br>
><br>
><br>
> > \ingroup ssl_crtd<br>
><br>
><br>
><br>
> > * This is the external ssl_crtd process.<br>
><br>
><br>
><br>
> > */<br>
><br>
><br>
><br>
> > int main(int argc, char *argv[])<br>
><br>
><br>
><br>
> > {<br>
><br>
><br>
><br>
> > try {<br>
><br>
><br>
><br>
> > size_t max_db_size = 0;<br>
><br>
><br>
><br>
> > size_t fs_block_size = 2048;<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > But the crazy thing is the index.txt (last line)
is wrong,<br>
><br>
> not complete. It seems the tool writes/saves wrong data
that's why<br>
><br>
> it becomes corrupted and crash the Squid.<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > We have tried with a single ssl_crtd in the
squid.conf, then<br>
><br>
> one per worker, the same corruption.<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > Bye Fred<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > -----Message d'origine-----<br>
><br>
><br>
><br>
> > De : squid-users<br>
><br>
> [<a class="moz-txt-link-freetext" href="mailto:squid-users-bounces@lists.squid-cache.org">mailto:squid-users-bounces@lists.squid-cache.org</a>] De
la part de<br>
><br>
> Yuri Voinov<br>
><br>
><br>
><br>
> > Envoyé : jeudi 9 avril 2015 14:52<br>
><br>
><br>
><br>
> > À : <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
><br>
><br>
><br>
> > Objet : ***SPAM*** Re: [squid-users] Random SSL
bump DB<br>
><br>
> corruption<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > Don't think this is critical. What is native fs
block size?<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > 09.04.15 13:29, Stakres пишет:<br>
><br>
><br>
><br>
> > > Hi Yuri,<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > We have checked the sslproxy_capath, all
certifs<br>
><br>
> updated.<br>
><br>
><br>
><br>
> > > OpenSSL is: OpenSSL 1.0.1e 11 Feb 2013
(Debian 7.8)<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > Additional point, the auto-signed certif is a
1024,<br>
><br>
> could it be the<br>
><br>
><br>
><br>
> > problem<br>
><br>
><br>
><br>
> > > ?<br>
><br>
><br>
><br>
> > > Maybe we need to use the ssl_crtd with the
option "-b<br>
><br>
> 1024"<br>
><br>
><br>
><br>
> > > what do you think ?<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > example of corrupted db:<br>
><br>
><br>
><br>
> > > *V 250402155004Z <br>
><br>
> 7307E4A4E7FC6483C2B1D533821A7D2356DF1B88 <br>
><br>
><br>
><br>
> > unknown<br>
><br>
><br>
><br>
> > ><br>
><br>
>
/CN=r2---sn-q4f7sn7z.googlevideo.com+Sign=signTrusted+SignHash=SHA256<br>
><br>
><br>
><br>
> > > V 250402155004Z <br>
><br>
> 2D1FC87E26AC4D8AB1E6F3B45E2C69EB36C7F8D3 <br>
><br>
><br>
><br>
> > unknown<br>
><br>
><br>
><br>
> > >
/CN=seal.verisign.com+Sign=signTrusted+SignHash=SHA256<br>
><br>
><br>
><br>
> > > 6<br>
><br>
><br>
><br>
> > > *<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > the squid crash when the index.txt becomes
wrong...<br>
><br>
> weird...<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > Bye Fred<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > --<br>
><br>
><br>
><br>
> > > View this message in context:<br>
><br>
><br>
><br>
><br>
><br>
>
<a class="moz-txt-link-freetext" href="http://squid-web-proxy-cache.1019090.n4.nabble.com/Random-SSL-bump-DB-corruption-tp4670289p4670656.html">http://squid-web-proxy-cache.1019090.n4.nabble.com/Random-SSL-bump-DB-corruption-tp4670289p4670656.html</a><br>
><br>
><br>
><br>
> > > Sent from the Squid - Users mailing list
archive at<br>
><br>
> Nabble.com.<br>
><br>
><br>
><br>
> > >
_______________________________________________<br>
><br>
><br>
><br>
> > > squid-users mailing list<br>
><br>
><br>
><br>
> > > <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
><br>
><br>
><br>
> > >
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > _______________________________________________<br>
><br>
><br>
><br>
> > squid-users mailing list<br>
><br>
><br>
><br>
> > <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
><br>
><br>
><br>
> > <a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><br>
><br>
><br>
></span><br>
<br>
-----BEGIN PGP SIGNATURE-----
<br>
Version: GnuPG v2
<br>
<br>
iQEcBAEBCAAGBQJVJntGAAoJENNXIZxhPexGu5cIAK17uOKYtdAvuZsGUFEd43pS
<br>
eSpzm5mjO9HqIejFis55Ahz5xSHiZLBb++yb/+oV5I/m0CoEOO7Y17qtWAjO56Ni
<br>
D/QRCmdCudrb4uoXWu0AY/+qwECJmAAsAYkigepVS+6u/kw2R1aU1oXt816EgFhq
<br>
XLyh3/92OvArDbn7HxAAMZRQ5Wqdgc7pdI8Bah6iElMHQrcd5FEuK/yyfoxUTdWf
<br>
F4HQa0EFC4Z3xY1AYfTskTcuVIEyZt9N9s5na/b9TcxktxzbPnTon2yg6CtohAqM
<br>
v2u28VIpToDETq8N8qv7DxQtbGz9cXuGsBj6HDYIUZB8NzEA5ETc+BOzG+DxOPQ=
<br>
=rC2l
<br>
-----END PGP SIGNATURE-----
<br>
<br>
</body>
</html>