[squid-users] sslbump and caching of generated cert

Amos Jeffries squid3 at treenet.co.nz
Tue Jun 30 04:51:51 UTC 2015


On 30/06/2015 5:35 a.m., Alex Wu wrote:
> So far as I know, hen sslbump is enabled for a port, for each dns
> name, squid save a cert generated according to dns name and signing
> key (from http_port configuration). So the next time, the generated
> cert can be fetched if the same dns host and configured signing key. 

Signing key is just a validation check on the cert. It has nothing else
to do with the actual cert.

AFAIK generated certs are stored by DN, serial number or hash of the two.

> Now  have a question on this:
> 
> http_port 10045 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB
> key=/opt/bg/deploy/squid/etc/mydlp/ssl/key_10045.pem
> cert=/opt/bg/deploy/squid/etc/mydlp/ssl/cert_10045.pem http_port
> 10046 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB
> key=/opt/bg/deploy/squid/etc/mydlp/ssl/key_10046.pem
> cert=/opt/bg/deploy/squid/etc/mydlp/ssl/cert_10046.pem I have two
> ports configured with SSLBUMP. Each port has its own CA signing key.
> The desired behavior is that, for the hostname www.foo.com, the
> certificate generated for the port should use key_10045, and the
> certificate generated for the port should use key_10046. It seems OK.
>  But, if we look at the ssl_db, only the last generated certificate
> is cached for www.foo.com. Is it possible to cache the generated
> certificates by the host and signing key? Alex

Not in the current design.

You could assign two workers, each with a different http_port and
ssl_crtd helper using different cert databases.


What is the point of this anyway? Why do you want to make your users
face a constant stream of nasty certificate-changed errors?

Amos


More information about the squid-users mailing list