[squid-users] Squid 3.4.10 and sslcrtd

Amos Jeffries squid3 at treenet.co.nz
Mon May 18 12:28:23 UTC 2015


On 18/05/2015 11:23 p.m., Veiko Kukk wrote:
> Hi
> 
> I'd like to know if I understand Squid documentation properly.
> I have following http_port and sslbump configuration:
> 
> http_port 127.0.0.1:3128 ssl-bump generate-host-certificates=off
> cert=/var/spool/squid/ssl_cert/squid_ca.pem
> ssl_bump server-first all
> 
> From documentation:
> generate-host-certificates[=<on|off>]
> Dynamically create SSL server certificates for the destination hosts of
> bumped CONNECT requests. When enabled, the cert and key options are used
> to sign generated certificates. Otherwise generated certificate will be
> selfsigned.
> 
> I guess, that means, if generate-host-certificates=off, there is no need
> for sslcrtd_program. Do I understand this correctly?

Good question. The answer is yes.

> 
> Why does it still need sslcrtd_program? Note that error message WARNING:
> ssl_crtd #Hlpr0 exited is misleading, because currently, all sslcrtd
> related configuration options are commented out and none of the ssl_crtd
> processes are started.

Having a directive commented out means the default value for it is used.
There is a default helper built by --enable-ssl-crtd that gets used
unless you specify otherwise.

Currently Squid is not detecting that the helper is unused, so checks
for its existence and attempts to run some. Some other helpers also have
this problem.

The workaround is to also explicitly configure:
 sslcrtd_children 0

Amos



More information about the squid-users mailing list