[squid-users] ***SPAM*** Re: Random SSL bump DB corruption
Stakres
vdoctor at neuf.fr
Thu Apr 9 14:14:35 UTC 2015
Yuri,
We’re trying that :
- Tproxy
- ssl_bump bump all
does not work.
We have followed the squid wiki regarding iptables rules, sysctl, etc…
Instead “ssl_bump bump all”, if we use “ssl_bump server-first all” , it works, the https is decrypted.
So is the tproxy compatible with the new squid 3.5.x ssl_bump options ?
Bye Fred
De : Yuri Voinov [via Squid Web Proxy Cache] [mailto:ml-node+s1019090n4670662h55 at n4.nabble.com]
Envoyé : jeudi 9 avril 2015 15:03
À : Stakres
Objet : Re: ***SPAM*** Re: Random SSL bump DB corruption
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
I think,first you can try new stage-based SSL bump with 3.5.x. To do that you must identify problem sites.
If there is no results, you can simple bypass problem sites without bump.
Whole server-first bump, on Squid 3.5.x especially, is not so good idea, I think. Especially on provider-level proxies.
09.04.15 19:09, Vdoctor пишет:
> Yuri,
>
>
>
> So what’s next ?
>
> Do you mean we must “do-not-ssl-bump” wrong certificats ?
>
> And if a certificate not yet identified is requested by an
user it’ll crash the Squid ?
>
>
>
> Any idea how to fix that issue ?
>
>
>
> Thanks in advance.
>
> Bye Fred
>
>
>
> De : Yuri Voinov [[hidden email]]
> Envoyé : jeudi 9 avril 2015 15:04
> À : Vdoctor; [hidden email]
> Objet : Re: ***SPAM*** Re: [squid-users] Random SSL bump DB
corruption
>
>
>
>
> - From my experience, it may occur as a result of forming the
fake certificate zero length (in the case of the SQUID can not
complete its formation for any reason).
>
> In turn, the formation of such a certificate occurs in
particular due to any error in the code of the SQUID
characteristics or if server certificate. In particular, one of
these servers is iTunes.
>
> 09.04.15 19:00, Vdoctor пишет:
> > Yury,
>
>
>
>
>
>
>
> > I checked the source code (3.4/3.5) ssl_crtd, the
default
>
> size is 2048.
>
>
>
> > -b fs_block_size File system block size in
bytes.
>
> Need for processing
>
>
>
> > natural size of
certificate on disk.
>
> Default value is
>
>
>
> > 2048 bytes."
>
>
>
>
>
>
>
> > /**
>
>
>
> > \ingroup ssl_crtd
>
>
>
> > * This is the external ssl_crtd process.
>
>
>
> > */
>
>
>
> > int main(int argc, char *argv[])
>
>
>
> > {
>
>
>
> > try {
>
>
>
> > size_t max_db_size = 0;
>
>
>
> > size_t fs_block_size = 2048;
>
>
>
>
>
>
>
>
>
>
>
> > But the crazy thing is the index.txt (last line)
is wrong,
>
> not complete. It seems the tool writes/saves wrong data
that's why
>
> it becomes corrupted and crash the Squid.
>
>
>
>
>
>
>
> > We have tried with a single ssl_crtd in the
squid.conf, then
>
> one per worker, the same corruption.
>
>
>
>
>
>
>
> > Bye Fred
>
>
>
>
>
>
>
> > -----Message d'origine-----
>
>
>
> > De : squid-users
>
> [[hidden email]] De
la part de
>
> Yuri Voinov
>
>
>
> > Envoyé : jeudi 9 avril 2015 14:52
>
>
>
> > À : [hidden email]
>
>
>
> > Objet : ***SPAM*** Re: [squid-users] Random SSL
bump DB
>
> corruption
>
>
>
>
>
>
>
>
>
>
>
> > Don't think this is critical. What is native fs
block size?
>
>
>
>
>
>
>
> > 09.04.15 13:29, Stakres пишет:
>
>
>
> > > Hi Yuri,
>
>
>
>
>
>
>
> > > We have checked the sslproxy_capath, all
certifs
>
> updated.
>
>
>
> > > OpenSSL is: OpenSSL 1.0.1e 11 Feb 2013
(Debian 7.8)
>
>
>
>
>
>
>
> > > Additional point, the auto-signed certif is a
1024,
>
> could it be the
>
>
>
> > problem
>
>
>
> > > ?
>
>
>
> > > Maybe we need to use the ssl_crtd with the
option "-b
>
> 1024"
>
>
>
> > > what do you think ?
>
>
>
>
>
>
>
> > > example of corrupted db:
>
>
>
> > > *V 250402155004Z
>
> 7307E4A4E7FC6483C2B1D533821A7D2356DF1B88
>
>
>
> > unknown
>
>
>
> > >
>
>
/CN=r2---sn-q4f7sn7z.googlevideo.com+Sign=signTrusted+SignHash=SHA256
>
>
>
> > > V 250402155004Z
>
> 2D1FC87E26AC4D8AB1E6F3B45E2C69EB36C7F8D3
>
>
>
> > unknown
>
>
>
> > >
/CN=seal.verisign.com+Sign=signTrusted+SignHash=SHA256
>
>
>
> > > 6
>
>
>
> > > *
>
>
>
>
>
>
>
> > > the squid crash when the index.txt becomes
wrong...
>
> weird...
>
>
>
>
>
>
>
> > > Bye Fred
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > --
>
>
>
> > > View this message in context:
>
>
>
>
>
>
http://squid-web-proxy-cache.1019090.n4.nabble.com/Random-SSL-bump-DB-corruption-tp4670289p4670656.html
>
>
>
> > > Sent from the Squid - Users mailing list
archive at
>
> Nabble.com.
>
>
>
> > >
_______________________________________________
>
>
>
> > > squid-users mailing list
>
>
>
> > > [hidden email]
>
>
>
> > >
http://lists.squid-cache.org/listinfo/squid-users
>
>
>
>
>
>
>
>
>
>
>
> > _______________________________________________
>
>
>
> > squid-users mailing list
>
>
>
> > [hidden email]
>
>
>
> > http://lists.squid-cache.org/listinfo/squid-users
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJVJntGAAoJENNXIZxhPexGu5cIAK17uOKYtdAvuZsGUFEd43pS
eSpzm5mjO9HqIejFis55Ahz5xSHiZLBb++yb/+oV5I/m0CoEOO7Y17qtWAjO56Ni
D/QRCmdCudrb4uoXWu0AY/+qwECJmAAsAYkigepVS+6u/kw2R1aU1oXt816EgFhq
XLyh3/92OvArDbn7HxAAMZRQ5Wqdgc7pdI8Bah6iElMHQrcd5FEuK/yyfoxUTdWf
F4HQa0EFC4Z3xY1AYfTskTcuVIEyZt9N9s5na/b9TcxktxzbPnTon2yg6CtohAqM
v2u28VIpToDETq8N8qv7DxQtbGz9cXuGsBj6HDYIUZB8NzEA5ETc+BOzG+DxOPQ=
=rC2l
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_____
If you reply to this email, your message will be added to the discussion below:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Random-SSL-bump-DB-corruption-tp4670289p4670662.html
To start a new topic under Squid - Users, email ml-node+s1019090n1019091h54 at n4.nabble.com
To unsubscribe from Squid Web Proxy Cache, click here <http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=1019090&code=dmRvY3RvckBuZXVmLmZyfDEwMTkwOTB8OTE5NjEzNjUz> .
<http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> NAML
--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Random-SSL-bump-DB-corruption-tp4670289p4670663.html
Sent from the Squid - Users mailing list archive at Nabble.com.
More information about the squid-users
mailing list