<div dir="ltr">Ok. Looks like 3.5.20 is the latest on the yum repo I'm using, so guess I'll have to learn how to compile it myself; never compiled a package before.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 11, 2017 at 4:17 PM, Yuri <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
Hardly,<br>
<br>
most probably something in repo's package. However, upgrade is
always recommended, especially with modern functionality. It changes
fast enough.<br>
<br>
<div class="m_-469225490075285610moz-cite-prefix">12.09.2017 2:15, Rohit Sodhia пишет:<br>
</div><div><div class="h5">
<blockquote type="cite">
<div dir="ltr">Ah. I'm on 3.5.20; not sure how far back that is.
Is that the core of the problem?<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Sep 11, 2017 at 4:07 PM, Yuri <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Seems latest 4.0.21 is good enough. Most critical
SSL-related bugs almost closed or closed.</p>
<p>At least latest 3.5.27 is released. AFAIK this is
minimum to problem-free running.</p>
<p>Repositories software sometimes has strange quirks, or
sometimes rancid.<br>
</p>
12.09.2017 2:05, Rohit Sodhia пишет:
<div>
<div class="m_-469225490075285610h5"><br>
<blockquote type="cite">
<div dir="ltr">I'll try to find it, but I read a few
articles/SO questions that suggested there were
bugs in 4 relating to SSL bumping? If they were
wrong, I'd be glad to go forward. Should I be
removing the yum squid package and compile my own?
Is 3.5 problematic besides being old?<br>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Sep 11, 2017
at 4:02 PM, Yuri <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Wait. Squid 3.5.20? So ancient?<br>
</p>
<br>
<div class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004moz-cite-prefix">12.09.2017
1:58, Rohit Sodhia пишет:<br>
</div>
<div>
<div class="m_-469225490075285610m_-2418983803487464905h5">
<blockquote type="cite">
<div dir="ltr">
<div>
<div>sslcrtd_program
/usr/lib64/squid/ssl_crtd -s
/var/lib/ssl_db -M 4MB<br>
</div>
<br>
</div>
I used the line from the Stack
Overflow question I linked
earlier.<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon,
Sep 11, 2017 at 3:41 PM, Yuri
<span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Well. Let's check more
deep.</p>
<p>Show me parameter
sslcrtd_program in your
squid.conf<br>
</p>
<br>
<div class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700moz-cite-prefix">12.09.2017
1:23, Rohit Sodhia
пишет:<br>
</div>
<div>
<div class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004h5">
<blockquote type="cite">
<div dir="ltr">
<div>
<div>Unfortunately,
no luck yet.
Thank you
again for your
help before.<br>
<br>
</div>
I found that the
user squid and
group squid
existed already,
so I added<br>
<br>
cache_effective_user squid<br>
cache_effective_group squid<br>
<br>
</div>
to my config
(first two lines),
made sure
/var/lib/ssl_db
and it's contents
were set to
squid:squid and
restarted the
service, but I'm
still getting the
same error :(<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Mon, Sep 11,
2017 at 2:42 PM,
Rohit Sodhia <span dir="ltr"><<a href="mailto:sodhia.rohit@gmail.com" target="_blank">sodhia.rohit@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">I'll
try that
immediately,
thanks! I
appreciate all
your advice;
hopefully I
won't have to
reach out
again :p<br>
</div>
<div class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700HOEnZb">
<div class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Mon, Sep 11,
2017 at 2:39
PM, Yuri <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>I'm not
Linux fanboy,
but modern
squid never
runs as root.
So, most
probably it
runs as nobody
user.</p>
<p>Ah, yes:</p>
<p># TAG:
cache_effective_user<br>
# If you
start Squid as
root, it will
change its
effective/real<br>
# UID/GID
to the user
specified
below. The
default is to
change<br>
# to UID of
nobody.<br>
# see also;
cache_effective_group<br>
#Default:<br>
#
cache_effective_user
nobody<br>
<br>
# TAG:
cache_effective_group<br>
# Squid
sets the GID
to the
effective
user's default
group ID<br>
# (taken
from the
password file)
and
supplementary
group list<br>
# from the
groups
membership.<br>
#<br>
# If you
want Squid to
run with a
specific GID
regardless of<br>
# the group
memberships of
the effective
user then set
this<br>
# to the
group (or GID)
you want Squid
to run as.
When set<br>
# all other
group
privileges of
the effective
user are
ignored<br>
# and only
this GID is
effective. If
Squid is not
started as<br>
# root the
user starting
Squid MUST be
member of the
specified<br>
# group.<br>
#<br>
# This
option is not
recommended by
the Squid
Team.<br>
# Our
preference is
for
administrators
to configure a
secure<br>
# user
account for
squid with
UID/GID
matching
system
policies.<br>
#Default:<br>
# Use system
group
memberships of
the
cache_effective_user
account<br>
</p>
<p>As
documented. :)</p>
<p>AFAIK best
solution is
create
non-privileged
group &
user (like
squid/squid)
and set both
this
parameters
explicity.</p>
<p>Then change
owner
recursively on
SSL cache to
this user.<br>
</p>
<br>
<div class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972moz-cite-prefix">12.09.2017
0:36, Rohit
Sodhia пишет:<br>
</div>
<div>
<div class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590h5">
<blockquote type="cite">
<div dir="ltr">Neither
of those
values are set
in my config.
Even though
I'm not using
squid for
caching, I
need those
values? They
aren't set in
the default
configs
either.<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Mon, Sep 11,
2017 at 2:33
PM, Yuri <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Most
probably you
squid runs as
another user
than squid.</p>
<p>Check your
squid.conf for
cache_effective_user and cache_effective_group values.</p>
<p>Then change
SSL cache
permissions to
this values.
Should work.<br>
</p>
<br>
<div class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659moz-cite-prefix">12.09.2017
0:30, Rohit
Sodhia пишет:<br>
</div>
<div>
<div class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972h5">
<blockquote type="cite">
<div dir="ltr">
<div>Thanks
for the
feedback! I
just used yum
(it's a CentOS
7 VB) and it
set it up like
that. I
changed the
owner and
group to
squid:squid
and tried
restarting
squid, but
still get the
same errors. I
thought to run
the command
again, but
this time it
says<br>
<br>
/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db<br>
<br>
</div>
If this folder
has incorrect
permissions
are there
possibly other
permission
issues?<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Mon, Sep 11,
2017 at 2:25
PM, Yuri <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Here you
root of
problem.</p>
<p>Should be
(on my
setups):</p>
<p># ls -al
/var/lib/ssl_db<br>
total 326<br>
drwxr-xr-x 3
squid
squid 5
Sep 5 00:53 .<br>
drwxr-xr-x 8
root
other 8
Sep 5 00:53
..<br>
drwxr-xr-x 2
squid squid
454 Sep 11
23:37 certs<br>
-rw-r--r-- 1
squid squid
280575 Sep 11
23:37
index.txt<br>
-rw-r--r-- 1
squid
squid 7
Sep 11 23:37
size<br>
</p>
<p>I.e. Squid
has no access
to SSL cache
dir
structures. <br>
</p>
<br>
<div class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566moz-cite-prefix">12.09.2017
0:23, Rohit
Sodhia пишет:<br>
</div>
<div>
<div class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659h5">
<blockquote type="cite">
<div dir="ltr">total
8<br>
drwxr-xr-x. 3
root root 48
Sep 11 12:42 .<br>
drwxr-xr-x. 32
root root 4096
Sep 11 12:42
..<br>
drwxr-xr-x. 2
root root 6
Sep 11 12:42
certs<br>
-rw-r--r--. 1
root root 0
Sep 11 12:42
index.txt<br>
-rw-r--r--. 1
root root 1
Sep 11 12:42
size<br>
<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Mon, Sep 11,
2017 at 2:22
PM, Yuri <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Show output
of <br>
</p>
<p>ls -al
/var/lib/ssl_db</p>
<br>
<div class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566m_551260681713239387moz-cite-prefix">12.09.2017
0:21, Rohit
Sodhia пишет:<br>
</div>
<div>
<div class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566h5">
<blockquote type="cite">
<div dir="ltr">Yes,
but telling me
it's crashing
unfortunately
doesn't help
me figure out
why or how to
fix it. I've
run the
command it
suggests but
it doesn't
help. I'm
unfortunately
not an ops guy
familiar with
this kind of
stuff; I don't
see anything
on how to
figure out
what to do
about it.<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Mon, Sep 11,
2017 at 2:17
PM, Yuri <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">It
tells you
what's
happens.<br>
<br>
<br>
11.09.2017
23:50, Rohit
Sodhia пишет:<br>
<div class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566m_551260681713239387HOEnZb">
<div class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566m_551260681713239387h5">>
(ssl_crtd):
Uninitialized
SSL
certificate
database
directory:<br>
>
/var/lib/ssl_db.
To initialize,
run "ssl_crtd
-c -s
/var/lib/ssl_db".<br>
<br>
<br>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
squid-users
mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.<wbr>org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/l<wbr>istinfo/squid-users</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>