[squid-users] can anyone see why this ssl-bump config causes squid to crash?
Jason Haar
Jason_Haar at trimble.com
Fri May 29 23:36:35 UTC 2015
Hi there
I've got a working ssl-bump config that nevertheless causes squid-3.5.XX
(tried them all) to crash (FATAL: Received Segment Violation...dying)
every few minutes (on both Ubuntu and CentOS) - so something must be
wrong with it. Can someone see what I've done wrong? I have reported
this as a bug (http://bugs.squid-cache.org/show_bug.cgi?id=3556) but as
others appear to be working fine, I'm guessing I'm doing something
slightly differently
I have stripped my config back to only peeking and splicing - no bumping
- and yet it still crashes. If I disable the peeking, the problem goes away
http_port 3128 ssl-bump cert=/usr/local/squid/etc/squidCA.cert
capath=/etc/ssl/certs/ generate-host-certificates=on
dynamic_cert_mem_cache_size=256MB options=ALL
https_port 3129 intercept ssl-bump
cert=/usr/local/squid/etc/squidCA.cert capath=/etc/ssl/certs/
generate-host-certificates=on dynamic_cert_mem_cache_size=256MB options=ALL
acl SSL_https port 443
ssl_bump splice !SSL_https
acl HTTPSportButNotHTTPSsites dstdom_regex -i
"/etc/squid/acl-HTTPSportButNotHTTPSsites.txt"
acl NoSSLIntercept ssl::server_name_regex -i
"/etc/squid/acl-NoSSLIntercept.txt"
acl DiscoverCONNECTHost at_step SslBump1
acl DiscoverSNIHost at_step SslBump2
ssl_bump peek DiscoverCONNECTHost SSL_https
ssl_bump splice HTTPSportButNotHTTPSsites
ssl_bump splice NoSSLIntercept
ssl_bump splice all
sslproxy_cert_error allow HTTPSportButNotHTTPSsites
sslproxy_cert_error allow all
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the squid-users
mailing list