[squid-users] ssl_crtd breaks after short time

Klavs Klavsen kl at vsen.dk
Thu Jun 4 13:39:43 UTC 2015


I tried this:
http_access allow CONNECT testurls testsrv1

But that doesn't work.

Klavs Klavsen wrote on 06/04/2015 03:20 PM:
> Hi,
>
> I added the bumpedports - and now traffic works and is allowed.. but it
> allows everything on https.. :(
>
> Log says:
> 10.xx.130.50 - - [04/Jun/2015:15:16:07 +0200] "CONNECT 72.51.34.34:443
> HTTP/1.1" lwn.net - 200 28189 TCP_TUNNEL:ORIGINAL_DST peek
>
> so it doesn't seem to check the http_access lines for testsrv1.
>
> My config as it is now:
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src fc00::/7       # RFC 4193 local private network range
> acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
> machines
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
>
> #only contains one ip range - which I'm not accessing
> #I don't quite understand what the purpose of this "broken" thing
> # is and what it does :(
> acl broken dst "/etc/squid/broken.txt"
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
>
> ssl_bump peek step1 broken
> ssl_bump peek step2 broken
> ssl_bump splice broken
> ssl_bump peek step1 all
> ssl_bump peek step2 all
> ssl_bump bump all
>
> sslproxy_capath /etc/ssl/certs
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> # user-defined ACLs
> acl okweb-urls url_regex ^http://www.youtube.com/
> ^http://vimeo.com/api/oembed.json$
> ^https://www.google.com/accounts/ClientLogin$
> ^https://www.googleapis.com/analytics/
> acl testurls url_regex ^http://www.dr.dk/$ ^https://www.google.dk/$
> acl testbox src 10.xx.138.168
> acl testsrv1 src 10.xx.130.50
>
> acl bumpedPorts myportname 3129
> acl bumpedPorts myportname 3130
> http_access allow CONNECT bumpedPorts
>
> http_access allow testurls testbox
> http_access allow testurls testsrv1
> http_access allow okweb-urls testsrv1
> http_access deny all
>
> http_port 3128
> coredump_dir                   /var/spool/squid
> maximum_object_size_in_memory  512 KB
> maximum_object_size            4096 KB
> ignore_expect_100              off
> cache_mgr                      root
> client_persistent_connections  on
> server_persistent_connections  on
>
> # user-defined configuration settings from config_hash
> ssl_bump                       server-first all
> sslcrtd_children               8 startup=1 idle=1
> sslcrtd_program                /usr/lib64/squid/ssl_crtd -s
> /etc/ssl/certs/cache/ -M 4MB
> https_port                     3130 intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/etc/squid/ca.cert cafile=/etc/squid/ca.cert
> key=/etc/squid/ca.private sslflags=NO_SESSION_REUSE
> http_port                      3129 intercept
>
> logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni
> %ssl::>cert_subject %>Hs %<st %Ss:%Sh %ssl::bump_mode
>
> access_log /var/log/squid/access.log mine
>
>
> Amos Jeffries wrote on 06/02/2015 05:05 PM:
>> On 3/06/2015 2:46 a.m., Klavs Klavsen wrote:
>>> Amos Jeffries wrote on 06/02/2015 04:10 PM:
>>>> On 3/06/2015 1:45 a.m., Klavs Klavsen wrote:
>>>>> Thank you Amos.
>>>>>
>>>>> I'll build 3.5.5 then..
>>>>>
>>>>> any config changes I need to be aware of?
>>>>
>>>> --with-openssl instead of --enable-ssl is the only one that comes to
>>>> mind right now. The release notes for 3.4 and 3.5 have the lists.
>>>>
>>>
>>> I borrowed the spec from fedora 23.. :)
>>>
>>> After installing 3.5.5 instead - it now complains when trying to issue
>>> certificate :(
>>>
>>> squid cache log says:
>>> Error negotiating SSL connection on FD 10: error:14094412:SSL
>>> routines:SSL3_READ_BYTES:sslv3 alert bad certificate
>>>
>>> client gets:
>>> curl: (51) SSL: certificate subject name '64.233.184.103' does not match
>>> target host name 'www.google.com'
>>>
>>> any hints for tests I can do, to figure out the problem would be very
>>> much appreciated :)
>>
>> James Lay has just done some good investigations in his "SSL-bump deep
>> dive" thread(s). Compare what he came up with to your config
>>
>> Amos
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>


-- 
Regards,
Klavs Klavsen, GSEC - kl at vsen.dk - http://www.vsen.dk - Tlf. 61281200

"Those who do not understand Unix are condemned to reinvent it, poorly."
   --Henry Spencer



More information about the squid-users mailing list