[squid-users] cafile and capath not working as expected with SSL bump

Bruce Rosenberg bruce.rosenberg.au at gmail.com
Wed Jun 29 10:01:33 UTC 2016


Hi,

I'm using squid 3.5.19 on RHEL6 and have configured SSL bump, which for the
most part is working great.
The issue I have is I need to install some additional CA certs that are not
provided by the ca-certificates-2015 RPM in the /etc/pki/tls/cert.pem file
(symlinked to /etc/pki/tls/certs/ca-bundle.crt).
I've tried adding both the cafile and capath options to the http_port entry
but neither seems to have any affect.
With the cafile option I can see squid open the file via an strace but when
I connect to the server it fails with a 503 as the SSL session to the
remote side is failing to verify.
With the capath option, strace shows that squid never attempts to open any
files in that directory.
Dynamic certificate generation between squid and the client is working fine
however.


cafile strace (strace -fp <squid_pid> -e trace=open):

[pid 27532] open("/var/lib/ssl_db/index.txt", O_RDWR) = 3
[pid 27532] open("/var/lib/ssl_db/index.txt", O_RDONLY) = 4
[pid 27532] open("/etc/localtime", O_RDONLY) = 4
[pid 27532]
open("/var/lib/ssl_db/certs/3EA5A8686DE52F6FBED1CD16F119603FF223563F.pem",
O_RDONLY) = 4
[pid 27532]
open("/var/lib/ssl_db/certs/3EA5A8686DE52F6FBED1CD16F119603FF223563F.pem",
O_RDONLY) = 4
[pid 27528] open("/etc/squid/ssl/cafile.pem", O_RDONLY) = 13
[pid 27528] open("/etc/pki/tls/cert.pem", O_RDONLY) = 13
[pid 27532] open("/var/lib/ssl_db/index.txt", O_RDWR) = 3
[pid 27532] open("/var/lib/ssl_db/index.txt", O_RDONLY) = 4
[pid 27532]
open("/var/lib/ssl_db/certs/666F7FE36508EC9B6E154D4FA0AE36DAFE9AC520.pem",
O_RDONLY) = 4
[pid 27532]
open("/var/lib/ssl_db/certs/666F7FE36508EC9B6E154D4FA0AE36DAFE9AC520.pem",
O_RDONLY) = 4
[pid 27528] open("/etc/squid/ssl/cafile.pem", O_RDONLY) = 13
[pid 27528] open("/etc/pki/tls/cert.pem", O_RDONLY) = 13
[pid 27528] open("/etc/squid/ssl/cafile.pem", O_RDONLY) = 13
[pid 27528] open("/etc/pki/tls/cert.pem", O_RDONLY) = 13


Subsequent error in the access log:

[29/Jun/2016:18:46:30 +1000] 198.142.126.173 TAG_NONE:HIER_DIRECT/200
"CONNECT www.example.com:443 HTTP/1.1" - www.example.com 130 0 - 14
[29/Jun/2016:18:46:30 +1000] 198.142.126.173 TAG_NONE:HIER_NONE/503 "GET
https://www.example.com/postorders/postorders.php HTTP/1.1" - - 249 4699 - -


Relevant config:

sslproxy_options NO_SSLv2
sslproxy_cert_sign signTrusted
sslproxy_cert_sign_hash sha1
sslcrtd_children 8 startup=1 idle=1

acl step1 at_step SslBump1
ssl_bump peek step1 sslbump_src
ssl_bump bump sslbump_dst sslbump_src

ssl_bump none all

#http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=8MB capath=/etc/squid/ssl/cacerts/
key=/etc/squid/ssl_cert/mitm_root_ca.key
 cert=/etc/squid/ssl_cert/mitm_root_ca.crt
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=8MB cafile=/etc/squid/ssl/cafile.pem
key=/etc/squid/ssl_cert/mitm_root_ca.key
 cert=/etc/squid/ssl_cert/mitm_root_ca.crt


I can work around the issue by appending the additional CA certs to the
Redhat managed /etc/pki/tls/certs/ca-bundle.crt file but this is not ideal.

Are the cafile and capath options supposed to work like this i.e. do they
allow you to complement the OS supplied CA certs for remote site
verification or have I completely misread the documentation?

cafile= File containing additional CA certificates to
use when verifying client certificates. If unset
clientca will be used.

capath= Directory containing additional CA certificates
and CRL lists to use when verifying client certificates.

Many thanks and any help greatly appreciated,
Bruce
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160629/a7ed0b27/attachment.html>


More information about the squid-users mailing list