<div dir="ltr"><div dir="ltr">Hi,<div>this is the certificate that I'm using at the moment:</div><div><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Certificate:<br> Data:<br> Version: 3 (0x2)<br> Serial Number:<br> a3:49:9a:ee:ac:75:66:da<br> Signature Algorithm: sha256WithRSAEncryption<br> Issuer: CN = nobody<br> Validity<br> Not Before: Apr 4 11:32:47 2019 GMT<br> Not After : Apr 3 11:32:47 2020 GMT<br> Subject: CN = nobody<br> Subject Public Key Info:<br> Public Key Algorithm: rsaEncryption<br> Public-Key: (2048 bit)<br> Modulus:<br> 00:d8:fc:85:95:05:42:aa:3c:52:64:a2:02:a2:8d:<br> c9:86:48:c3:82:b5:1e:4f:8e:c3:7f:fb:6b:9b:2e:<br> 61:39:10:58:09:09:c9:88:e9:c0:d9:16:b4:e7:36:<br> 99:25:57:c6:f2:07:79:67:7b:50:20:a8:60:42:fa:<br> e1:57:80:9e:e3:08:80:a6:fb:67:b5:25:3f:96:b0:<br> 83:73:35:91:36:cb:d7:7c:06:d6:58:a9:78:36:10:<br> 73:24:af:53:31:c8:a1:0d:89:05:c1:36:55:22:2a:<br> 8b:33:06:5b:07:47:9e:ff:dd:34:a4:5e:ce:56:95:<br> 8c:4f:76:e5:28:f8:9a:49:3d:50:5b:4b:5f:2a:b4:<br> 9c:0d:f4:1e:09:4f:62:64:a2:ee:46:0f:1a:42:ae:<br> 63:92:8c:02:9c:c0:dc:25:d1:d1:b0:ee:a5:fc:66:<br> 20:20:1b:ac:f4:0e:30:ed:2e:27:b9:02:ca:cb:7b:<br> 32:92:4c:6a:c1:58:59:cd:9b:14:3a:c9:76:bd:e1:<br> 06:dc:0d:f6:53:23:45:28:4b:07:8c:3f:6d:e8:6a:<br> f2:01:c5:73:55:76:d2:cf:36:63:6f:6e:86:49:c5:<br> 20:05:95:db:fb:05:36:17:7d:a5:fb:3f:37:cb:47:<br> 3e:b4:a0:fd:35:e2:e7:31:c9:60:39:17:e9:7a:82:<br> 0b:75<br> Exponent: 65537 (0x10001)<br> X509v3 extensions:<br> X509v3 Basic Constraints: critical<br> CA:TRUE<br> X509v3 Subject Key Identifier: <br> 85:A5:3F:F5:8C:88:EA:38:BF:46:42:72:8B:EE:A1:04:B8:FC:E2:D4<br> X509v3 Key Usage: critical<br> Digital Signature, Non Repudiation, Key Encipherment, Key Agreement, Certificate Sign, CRL Sign<br> X509v3 Extended Key Usage: <br> TLS Web Server Authentication<br> X509v3 Subject Alternative Name: <br> DNS:nobody</blockquote><div> </div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 4 Apr 2019 at 12:57, Davide Belloni <<a href="mailto:davide.belloni@gmail.com">davide.belloni@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">Hi, thanks very much for all the advices!<div dir="auto">About the action to generate the certificate I've followed the squid wiki, that doesn't modify (if I remember correctly) openssl conf to create it .</div><div dir="auto"><br></div><div dir="auto">Do you have some link to a good howto about that?</div><div dir="auto"><br></div><div dir="auto">Thanjs</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Il gio 4 apr 2019, 12:35 Amos Jeffries <<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>> ha scritto:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 4/04/19 10:11 pm, Davide Belloni wrote:<br>
> Hi,<br>
> I've a problem in Ubuntu 18.04.2 with Squid 4.6 compiled with OpenSSL<br>
> 1.1 about ssl_bump. The same configuration works in Squid 3.5 and<br>
> OpenSSL 1.0<br>
> <br>
> Here the relevant conf :<br>
> <br>
> ...<br>
> http_port 3128 ssl-bump options=ALL:NO_SSLv3 connection-auth=off<br>
> generate-host-certificates=off cert=/etc/squid/squidCA.pem<br>
> <br>
<br>
There are several differences which are relevant here.<br>
<br>
Firstly, the options= setting in v4 is buggy right now.<br>
<br>
Secondly, that "ALL" setting enables a large number of highly unsafe<br>
OpenSSL features. It is not a good idea to use that.<br>
<br>
Thirdly, v4 now checks the contents of that squidCA.pem file and only<br>
loads the actually needed cert/key/chain objects. v3 would load<br>
everything even if the cert properties were forbidden for use by a proxy<br>
or HTTP server.<br>
<br>
<br>
<br>
> # Not bypass server certificate validation errors<br>
> sslproxy_cert_error deny all<br>
> # This one return errors with debian on GCP<br>
> (<a href="https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery" rel="noreferrer noreferrer" target="_blank">https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery</a>)<br>
> host_verify_strict off<br>
<br>
<br>
The above two directives are setting the defaults. It is only a waste of<br>
CPU cycles to configure that in any Squid version. No need to configure<br>
these at all.<br>
<br>
> <br>
> sslproxy_session_cache_size 0<br>
> <br>
> acl step1 at_step SslBump1<br>
> acl step2 at_step SslBump2<br>
> acl step3 at_step SslBump3<br>
> <br>
> ssl_bump peek step1 all<br>
> ssl_bump peek step2 all<br>
> <br>
> # API Google<br>
> acl api_google_urls url_regex<br>
> ^(https?:\/\/)?.*\.googleapis\.com(:443)?($|\/)<br>
> acl api_google_urls url_regex<br>
> ^(https?:\/\/)?.*\.google\.com(:443)?($|\/)<br>
> acl api_google_urls url_regex<br>
> ^(https?:\/\/)?.*\.cloud\.google\.com(:443)?($|\/)<br>
> acl api_google_urls url_regex<br>
> ^(https:\/\/)?([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})<br>
<br>
These regex are overly complex. These two patterns cover the same set of<br>
URLs:<br>
<br>
acl api_google_urls url_regex \<br>
\.google(apis)?\.com(:443)?($|\/)<br>
^(https:\/\/)?([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})<br>
<br>
<br>
<br>
> acl api_google_ssl ssl::server_name_regex .*\.googleapis\.com<br>
> acl api_google_ssl ssl::server_name_regex .*\.google\.com<br>
> acl api_google_ssl ssl::server_name_regex .*\.cloud\.google\.com<br>
<br>
Same with these ones:<br>
<br>
acl api_google_ssl ssl::server_name_regex \.google(apis)?\.com<br>
<br>
<br>
> acl api_google_ips src <a href="http://127.0.0.1/32" rel="noreferrer noreferrer" target="_blank">127.0.0.1/32</a><br>
> <br>
> http_access allow api_google_ips api_google_urls<br>
> ssl_bump splice step3 api_google_ips api_google_ssl<br>
> <br>
> http_access deny all<br>
> ssl_bump terminate step3 all<br>
> ...<br>
> <br>
> <br>
...<br>
<br>
<br>
> <br>
> I'm upgrading to Squid4 with OpenSSL 1.1 because with Squid3 Ive some<br>
> connections that get stuck (for example<br>
> <a href="https://packages.cloud.google.com/apt/doc/apt-key.gpg" rel="noreferrer noreferrer" target="_blank">https://packages.cloud.google.com/apt/doc/apt-key.gpg</a>) I think for<br>
> unsupported ciphers.<br>
> <br>
> But with Squid4 and OpenSSL1.1 I've this lines in cache log:<br>
> <br>
> 2019/04/04 08:49:15 kid1| ERROR: client https start failed to<br>
> allocate handle: error:140AB043:SSL<br>
> routines:SSL_CTX_use_certificate:passed a null parameter<br>
> <br>
<br>
Check the SquidCA.pem file actually contains a valid X.509 server CA<br>
certificate and matching key.<br>
<br>
<br>
> 2019/04/04 08:49:15 kid1| ERROR: could not create TLS server context<br>
> for local=<a href="http://127.0.0.1:3128" rel="noreferrer noreferrer" target="_blank">127.0.0.1:3128</a> <<a href="http://127.0.0.1:3128" rel="noreferrer noreferrer" target="_blank">http://127.0.0.1:3128</a>><br>
> remote=<a href="http://127.0.0.1:39203" rel="noreferrer noreferrer" target="_blank">127.0.0.1:39203</a> <<a href="http://127.0.0.1:39203" rel="noreferrer noreferrer" target="_blank">http://127.0.0.1:39203</a>> FD 19 flags=1<br>
> <br>
<br>
This must be fixed before any more advanced tests are worth performing.<br>
Their results will be invalid until Squid has an operational TLS context.<br>
<br>
<br>
Amos<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" rel="noreferrer" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><br>Davide Belloni<div><a href="http://about.me/davidebelloni" target="_blank">http://about.me/davidebelloni</a><br></div><div><a href="http://www.linkedin.com/in/davidebelloni" target="_blank">http://www.linkedin.com/in/davidebelloni</a><br></div></div></div>