[squid-users] Ssl-Bump and revoked server certificates

Walter H. Walter.H at mathemainzel.info
Wed Oct 7 15:32:51 UTC 2015


On 07.10.2015 16:48, Amos Jeffries wrote:
>> or
>>
>> sslcrtvalidator_program cache=8192 ttl=240 /usr/lib64/squid/cert_valid.pl
>> sslcrtvalidator_children 12 startup=5 idle=1 concurrency=1
>>
>> can I have a working sample of valid_cert.pl that results
>> in an "access denied" or any other error page of squid?
> An ERR result from the helper should result in the invalid certificate
> handling happening in Squid. Whether that results in a particular error
> page (or not) depends on several things I'm not completely certain about.
Not really, there happens nothing different;
>
>> (it may bring this on any page that is ssl_bumped,
>> so I know the interface, because this here:
>> http://wiki.squid-cache.org/Features/SslServerCertValidator
>> is wrong;
>
> Ah. I see the concurrency channel is not documented, but is being sent.
> What Squid version are you using?
I'm using squid 3.4.10, the build from Eliezer
http://www1.ngtech.co.il/rpm/centos/6/x86_64/squid-3.4.10-1.el6.x86_64.rpm
and
http://www1.ngtech.co.il/rpm/centos/6/x86_64/squid-helpers-3.4.10-1.el6.x86_64.rpm

>> instead of
>> /usr/lib64/squid/cert_valid.pl
>> I used a bash-script with this content
>>
>> #!/bin/bash
>>
>> myprog 2>>/tmp/pre.log |/usr/lib64/squid/cert_valid.pl
>>
>> and the C source of myprog:
>>
>>
>> #include<fcntl.h>
>> #include<stdio.h>
>> int main( int argc, char* argv[ ] )
>> {
>>          static char szBuf[ 260 ];
>>          int nLen;
>>          while( ( nLen = read( 0, (void*) szBuf, 256 ) )>   0 )
>>          {
>>                  write( 1, (void*) szBuf, nLen );
>>                  write( 2, (void*) szBuf, nLen );
>>          }
>>          return 0;
>> }
> This helper is broken. The protocol here or even other helpers, has
> never been to dump the input back to Squid.
be careful, this is part of the helper script above, to catch the 
content, whats sent to the helper ...
> Input and output "lines" have different syntax and contents.
of course ...
>> so I got the ident content as stdout and stderr and there I catched e.g.
>> this:
>>
>> <CATCH CONTENT>
>> 0 cert_validate 3373 host=revoked.grc.com
>> cert_0=-----BEGIN CERTIFICATE-----
> <snip>
>> -----END CERTIFICATE-----
>> </CATCH CONTENT>
>>
>> with this I could programme a correct certificate validator using OpenSSL,
>> but I MUST have a little bit more precise knowledge about the correct
>> interface;
>>
>> can someone please explain how the 3373 of the CATCH CONTENT above is
>> calculated?
> Documented in the wiki:
> "Total size of the following request bytes taken by the key=pair
> parameters."
>
> That is the byte size of the "host=...END CERTIFICATE-----" key-pair
> part of the message.
Ok, I'll try if something was kicked away ...
>> returns always "0 OK 0 \1"
>> what does \1 mean here?
> \1 is the binary code (0x01) for end of line/message this helper
> requires. We cannot use \n like other helpers since several \n are part
> of the cert PEM format.
>
is this also true for requests this helper receives?

Thanks,
Walter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4312 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151007/a04f2376/attachment.bin>


More information about the squid-users mailing list