[squid-users] sslbump and caching of generated cert

Alex Wu alex_wu2012 at hotmail.com
Tue Jun 30 17:08:18 UTC 2015


/*
You could assign two workers, each with a different http_port and
ssl_crtd helper using different cert databases.

*/

How to do this? It sounds it might meet our need. 

The reason is that we assign a port for internal, 
so we can use cheap CA (self-generated CA), for the collaboration, we use a diffrent port, 
may need to set up a different CA.

THX

Alex

> Date: Tue, 30 Jun 2015 16:51:51 +1200
> From: squid3 at treenet.co.nz
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] sslbump and caching of generated cert
> 
> On 30/06/2015 5:35 a.m., Alex Wu wrote:
> > So far as I know, hen sslbump is enabled for a port, for each dns
> > name, squid save a cert generated according to dns name and signing
> > key (from http_port configuration). So the next time, the generated
> > cert can be fetched if the same dns host and configured signing key. 
> 
> Signing key is just a validation check on the cert. It has nothing else
> to do with the actual cert.
> 
> AFAIK generated certs are stored by DN, serial number or hash of the two.
> 
> > Now  have a question on this:
> > 
> > http_port 10045 ssl-bump generate-host-certificates=on
> > dynamic_cert_mem_cache_size=4MB
> > key=/opt/bg/deploy/squid/etc/mydlp/ssl/key_10045.pem
> > cert=/opt/bg/deploy/squid/etc/mydlp/ssl/cert_10045.pem http_port
> > 10046 ssl-bump generate-host-certificates=on
> > dynamic_cert_mem_cache_size=4MB
> > key=/opt/bg/deploy/squid/etc/mydlp/ssl/key_10046.pem
> > cert=/opt/bg/deploy/squid/etc/mydlp/ssl/cert_10046.pem I have two
> > ports configured with SSLBUMP. Each port has its own CA signing key.
> > The desired behavior is that, for the hostname www.foo.com, the
> > certificate generated for the port should use key_10045, and the
> > certificate generated for the port should use key_10046. It seems OK.
> >  But, if we look at the ssl_db, only the last generated certificate
> > is cached for www.foo.com. Is it possible to cache the generated
> > certificates by the host and signing key? Alex
> 
> Not in the current design.
> 
> You could assign two workers, each with a different http_port and
> ssl_crtd helper using different cert databases.
> 
> 
> What is the point of this anyway? Why do you want to make your users
> face a constant stream of nasty certificate-changed errors?
> 
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150630/e08e393f/attachment.html>


More information about the squid-users mailing list