[squid-users] ssl proxy error: No valid signing SSL certificate configured for https_port [::]:3127

Alan Palmer alanpalmer72 at yahoo.com
Tue Feb 17 13:56:38 UTC 2015 

On 2/16/2015 5:45 PM, Amos Jeffries wrote:
> Notice how the port details have changed from IPv4-only to IPv6-only. 
> You are using a split-stack OS where each of the IPv4 and IPv6 ports 
> needs separate TLS/SSL context. You can set the same settings and load 
> the same cert file, just have to place the config separately in 
> squid.conf for now: https_port 0.0.0.0:3127 intercept ssl-bump \ 
> generate-host-certificates=on \ dynamic_cert_mem_cache_size=16MB \ 
> cert=/etc/squid/ssl_cert/server1.crt https_port [::]:3127 intercept 
> ssl-bump \ generate-host-certificates=on \ 
> dynamic_cert_mem_cache_size=16MB \ 
> cert=/etc/squid/ssl_cert/server1.crt Amos 
> _______________________________________________ squid-users mailing 
> list squid-users at lists.squid-cache.org 
> http://lists.squid-cache.org/listinfo/squid-users 


openssl req -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509 
-keyout myCA.pem -out myCA.pem

tail -20 squid.conf
http_port 3128 transparent
#
#       transparent SSL proxy setup
#
https_port 0.0.0.0:3127 intercept ssl-bump \
   generate-host-certificates=on \
   dynamic_cert_mem_cache_size=16MB \
   cert=/etc/squid/ssl_cert/JaroszCA.pem

https_port [::]:3127 intercept ssl-bump \
   generate-host-certificates=on \
   dynamic_cert_mem_cache_size=16MB \
   cert=/etc/squid/ssl_cert/JaroszCA.pem

#
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /data/squid/ssl_db 
-M 16MB
sslcrtd_children 10
always_direct allow all
sslproxy_cert_error allow all
ssl_bump server-first all

/etc/squid: squid -z
FATAL: No valid signing SSL certificate configured for https_port 
0.0.0.0:3127
Squid Cache (Version 3.4.11): Terminated abnormally.
CPU Usage: 0.080 seconds = 0.070 user + 0.010 sys
Maximum Resident Size: 6764 KB
Page faults with physical i/o: 0

BUT:

tail -20 squid.conf
http_port 3128 transparent
#
#       transparent SSL proxy setup
#
https_port 127.0.0.1:3127 intercept ssl-bump \
   generate-host-certificates=on \
   dynamic_cert_mem_cache_size=16MB \
   cert=/etc/squid/ssl_cert/JaroszCA.pem

https_port [::1]:3127 intercept ssl-bump \
   generate-host-certificates=on \
   dynamic_cert_mem_cache_size=16MB \
   cert=/etc/squid/ssl_cert/JaroszCA.pem

/etc/squid: squid -z
/etc/squid: 2015/02/17 07:47:03 kid1| Set Current Directory
to /var/squid/cache
2015/02/17 07:47:03 kid1| Creating missing swap directories
...

Its not just specifying separate lines for the split stack, using the 
non-specific addresses 0.0.0.0 and [::] fails.  I had to put a real ip 
address, in this case loopback, but using another real interface on my 
machine also worked.

Bug/'Feature' in OpenBSD 5.6 implementation or all split stack OSs?

Thanks muchly for the help.

Alan

More information about the squid-users mailing list