[squid-users] Configuring the sslbump

sven falempin sven.falempin at gmail.com
Fri Dec 5 22:19:09 UTC 2014 

Hello Squid,

I am trying the sslBump and just following the doc, i tried to also some
random tutorial on the web that mostly looks like copy pasta of the wiki.
All i got is a FATAL. .. . .

2014/12/05 17:07:24.472| src/ssl/support.cc(1584)
readSslX509CertificatesChain: Certificate is self-signed, will not
 be chained
2014/12/05 17:07:24.500| src/ssl/support.cc(1446) contextMethod: Using
SSLv2/SSLv3.
2014/12/05 17:07:24.500| src/ssl/support.cc(857) configureSslContext:
Setting RSA key generation callback.
2014/12/05 17:07:24.500| src/ssl/support.cc(860) configureSslContext:
Setting CA certificate locations.
2014/12/05 17:07:24.505| src/ssl/support.cc(903) configureSslContext: Not
requiring any client certificates
2014/12/05 17:07:24.505| Initializing https_port 0.0.0.0:3129 SSL context
2014/12/05 17:07:24.505| src/tools.cc(564) leave_suid: leave_suid: PID
10872 called
2014/12/05 17:07:24.505| src/tools.cc(586) leave_suid: leave_suid: PID
10872 giving up root, becoming '_squid'
FATAL: No valid signing SSL certificate configured for HTTPS_port
0.0.0.0:3129
Squid Cache (Version 3.HEAD-20140626-r13480): Terminated abnormally.

my certificates are all right
2014/12/05 17:07:24.505| Initializing https_port 0.0.0.0:3129 SSL context
but sundenly they are i dont recheck or something ?

the only non logged code i see is this one :

    if (!pkey || !cert || !X509_check_private_key(cert.get(), pkey.get())) {
        pkey.reset(NULL);
        cert.reset(NULL);
    }

But i swear i follow the doc and create the certificate normally.

Is there a particular CN to use ?
Shall i emit a self signed root and then another certificate for the proxy
??? is this error not related at all ? with the certificate on the sslbump
lines ?

Conf:
# Squid normally listens to port 3128
http_port 3128
https_port 3129 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=2MB  cert=/etc/squid/sq
uid-proxy.crt  key=/etc/squid/squid-proxy.key

# dont forget ssl_crtd -c -s /var/db/squid/ssl when setup
always_direct allow all
ssl_bump client-first  all
sslproxy_cert_error allow all
# Or may be deny all according to your company policy
# sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/local/bin/ssl_crtd -s /var/db/squid/ssl -M 2MB
sslcrtd_children 5


Info:
 # ls /var/db/squid/ssl
certs     index.txt size


-- 
---------------------------------------------------------------------------------------------------------------------
() ascii ribbon campaign - against html e-mail
/\
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141205/2b631384/attachment.html>

More information about the squid-users mailing list