<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>/*<br>You could assign two workers, each with a different http_port and<br><pre>ssl_crtd helper using different cert databases.<br><br>*/<br><br>How to do this? It sounds it might meet our need. <br><br>The reason is that we assign a port for internal, <br>so we can use cheap CA (self-generated CA), for the collaboration, we use a diffrent port, <br>may need to set up a different CA.<br><br>THX<br><br>Alex<br></pre><br><br /><br /><div>> Date: Tue, 30 Jun 2015 16:51:51 +1200<br>> From: squid3@treenet.co.nz<br>> To: squid-users@lists.squid-cache.org<br>> Subject: Re: [squid-users] sslbump and caching of generated cert<br>> <br>> On 30/06/2015 5:35 a.m., Alex Wu wrote:<br>> > So far as I know, hen sslbump is enabled for a port, for each dns<br>> > name, squid save a cert generated according to dns name and signing<br>> > key (from http_port configuration). So the next time, the generated<br>> > cert can be fetched if the same dns host and configured signing key. <br>> <br>> Signing key is just a validation check on the cert. It has nothing else<br>> to do with the actual cert.<br>> <br>> AFAIK generated certs are stored by DN, serial number or hash of the two.<br>> <br>> > Now have a question on this:<br>> > <br>> > http_port 10045 ssl-bump generate-host-certificates=on<br>> > dynamic_cert_mem_cache_size=4MB<br>> > key=/opt/bg/deploy/squid/etc/mydlp/ssl/key_10045.pem<br>> > cert=/opt/bg/deploy/squid/etc/mydlp/ssl/cert_10045.pem http_port<br>> > 10046 ssl-bump generate-host-certificates=on<br>> > dynamic_cert_mem_cache_size=4MB<br>> > key=/opt/bg/deploy/squid/etc/mydlp/ssl/key_10046.pem<br>> > cert=/opt/bg/deploy/squid/etc/mydlp/ssl/cert_10046.pem I have two<br>> > ports configured with SSLBUMP. Each port has its own CA signing key.<br>> > The desired behavior is that, for the hostname www.foo.com, the<br>> > certificate generated for the port should use key_10045, and the<br>> > certificate generated for the port should use key_10046. It seems OK.<br>> > But, if we look at the ssl_db, only the last generated certificate<br>> > is cached for www.foo.com. Is it possible to cache the generated<br>> > certificates by the host and signing key? Alex<br>> <br>> Not in the current design.<br>> <br>> You could assign two workers, each with a different http_port and<br>> ssl_crtd helper using different cert databases.<br>> <br>> <br>> What is the point of this anyway? Why do you want to make your users<br>> face a constant stream of nasty certificate-changed errors?<br>> <br>> Amos<br>> _______________________________________________<br>> squid-users mailing list<br>> squid-users@lists.squid-cache.org<br>> http://lists.squid-cache.org/listinfo/squid-users<br></div> </div></body>
</html>