[squid-users] Default state for the option generate-host-certificates
Garri Djavadyan
garryd at comnet.uz
Fri Oct 28 12:56:44 UTC 2016
Hello list,
The last sentence for generate-host-certificates[=<on|off>] option
paragraph states:
This option is enabled by default when ssl-bump is used. See the
ssl-bump option above for more information.
But a client can't negotiate secure connection and times out when the
option is not specified explicitly. For example, with following config
I get negotiation timeout:
# diff etc/squid.conf.default etc/squid.conf
59c59
< http_port 3128
---
> http_port 3128 ssl-bump cert=/usr/local/squid35/etc/ssl_cert/myCA.pem
73a74,76
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
-----
$ https_proxy="127.0.0.1:3128" curl -v -k https://ya.ru/ > /dev/null
* Trying 127.0.0.1...
* TCP_NODELAY set
% Total % Received % Xferd Average
Speed Time Time Time Current
Dload Upload Total Spent Left
Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-
- 0* Connected to 127.0.0.1 (127.0.0.1) port 3128 (#0)
* Establish HTTP proxy tunnel to ya.ru:443
> CONNECT ya.ru:443 HTTP/1.1
> Host: ya.ru:443
> User-Agent: curl/7.50.3
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* Initializing NSS with certpath: none
0 0 0 0 0 0 0 0 --:--:-- 0:00:59 --:--:-
- 0* NSS error -5938 (PR_END_OF_FILE_ERROR)
* Encountered end of file
* Curl_http_done: called premature == 1
0 0 0 0 0 0 0 0 --:--:-- 0:01:00 --:--:-
- 0
* Closing connection 0
curl: (35) Encountered end of file
No problems, if the option specified explicitly:
# diff etc/squid.conf.default etc/squid.conf
59c59,61
< http_port 3128
---
> http_port 3128 ssl-bump \
> cert=/usr/local/squid35/etc/ssl_cert/myCA.pem \
> generate-host-certificates
73a76,78
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
Is it a bug, documentation error or I simply missed something?
Thanks.
Garri
More information about the squid-users
mailing list