[squid-users] ***SPAM*** Re: Random SSL bump DB corruption
Vdoctor
vdoctor at neuf.fr
Thu Apr 9 13:09:40 UTC 2015
Yuri,
So what’s next ?
Do you mean we must “do-not-ssl-bump” wrong certificats ?
And if a certificate not yet identified is requested by an user it’ll crash the Squid ?
Any idea how to fix that issue ?
Thanks in advance.
Bye Fred
De : Yuri Voinov [mailto:yvoinov at gmail.com]
Envoyé : jeudi 9 avril 2015 15:04
À : Vdoctor; squid-users at lists.squid-cache.org
Objet : Re: ***SPAM*** Re: [squid-users] Random SSL bump DB corruption
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- From my experience, it may occur as a result of forming the fake certificate zero length (in the case of the SQUID can not complete its formation for any reason).
In turn, the formation of such a certificate occurs in particular due to any error in the code of the SQUID characteristics or if server certificate. In particular, one of these servers is iTunes.
09.04.15 19:00, Vdoctor пишет:
> Yury,
>
> I checked the source code (3.4/3.5) ssl_crtd, the default
size is 2048.
> -b fs_block_size File system block size in bytes.
Need for processing
> natural size of certificate on disk.
Default value is
> 2048 bytes."
>
> /**
> \ingroup ssl_crtd
> * This is the external ssl_crtd process.
> */
> int main(int argc, char *argv[])
> {
> try {
> size_t max_db_size = 0;
> size_t fs_block_size = 2048;
>
>
> But the crazy thing is the index.txt (last line) is wrong,
not complete. It seems the tool writes/saves wrong data that's why
it becomes corrupted and crash the Squid.
>
> We have tried with a single ssl_crtd in the squid.conf, then
one per worker, the same corruption.
>
> Bye Fred
>
> -----Message d'origine-----
> De : squid-users
[mailto:squid-users-bounces at lists.squid-cache.org] De la part de
Yuri Voinov
> Envoyé : jeudi 9 avril 2015 14:52
> À : squid-users at lists.squid-cache.org
> Objet : ***SPAM*** Re: [squid-users] Random SSL bump DB
corruption
>
>
> Don't think this is critical. What is native fs block size?
>
> 09.04.15 13:29, Stakres пишет:
> > Hi Yuri,
>
> > We have checked the sslproxy_capath, all certifs
updated.
> > OpenSSL is: OpenSSL 1.0.1e 11 Feb 2013 (Debian 7.8)
>
> > Additional point, the auto-signed certif is a 1024,
could it be the
> problem
> > ?
> > Maybe we need to use the ssl_crtd with the option "-b
1024"
> > what do you think ?
>
> > example of corrupted db:
> > *V 250402155004Z
7307E4A4E7FC6483C2B1D533821A7D2356DF1B88
> unknown
> >
/CN=r2---sn-q4f7sn7z.googlevideo.com+Sign=signTrusted+SignHash=SHA256
> > V 250402155004Z
2D1FC87E26AC4D8AB1E6F3B45E2C69EB36C7F8D3
> unknown
> > /CN=seal.verisign.com+Sign=signTrusted+SignHash=SHA256
> > 6
> > *
>
> > the squid crash when the index.txt becomes wrong...
weird...
>
> > Bye Fred
>
>
>
> > --
> > View this message in context:
>
http://squid-web-proxy-cache.1019090.n4.nabble.com/Random-SSL-bump-DB-corruption-tp4670289p4670656.html
> > Sent from the Squid - Users mailing list archive at
Nabble.com.
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJVJni5AAoJENNXIZxhPexGTAkIAIx0ar6l6z84snTTem8XXZtD
oO/MnUvMb5FB+2IRp74dq7cO5KzlcZUeOvbbmsMsXR2CAraPqiLyTb3m3/eKqLS1
QdDRZZIuvV2GKyNizEzwwCV1W7QRjApbELc36rZC8fXVv5WArisDg3kk/Ycu3OeF
p0TBHhMNBvFKd+8Ve8xUqKQn3J6fYAYB8FHBzpssmfGaaGK7PeDmZ3LofeYHlqDP
eY7WKCzBQ7wOkezWJopBqkZH72OorLYHxOSanrNlbZ+5n2iO5wbuocm03F/QMJBc
uTN71irqNwHiqGd95ThQjSlhOXHvUSHEKssALUgmfHWEtIUy1PhLQvCksLm2510=
=ai9y
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150409/3b5cf0ca/attachment-0001.html>
More information about the squid-users
mailing list