[squid-users] Default state for the option generate-host-certificates

Yuri Voinov yvoinov at gmail.com
Fri Oct 28 13:39:37 UTC 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
It seems bug.

Just always specify option explicity.


28.10.2016 18:56, Garri Djavadyan пишет:
> Hello list,
>
> The last sentence for generate-host-certificates[=<on|off>] option
> paragraph states:
>
>   This option is enabled by default when ssl-bump is used. See the
>   ssl-bump option above for more information.
>
> But a client can't negotiate secure connection and times out when the
> option is not specified explicitly. For example, with following config
> I get negotiation timeout:
>
> # diff etc/squid.conf.default etc/squid.conf
> 59c59
> < http_port 3128
> ---
>> http_port 3128 ssl-bump cert=/usr/local/squid35/etc/ssl_cert/myCA.pem
> 73a74,76
>> acl step1 at_step SslBump1
>> ssl_bump peek step1
>> ssl_bump bump all
>
> -----
> $ https_proxy="127.0.0.1:3128" curl -v -k https://ya.ru/ > /dev/null
> *   Trying 127.0.0.1...
> * TCP_NODELAY set
>   % Total    % Received % Xferd  Average
> Speed   Time    Time     Time  Current
>                                  Dload  Upload   Total   Spent    Left
>  Speed
>   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:-
> -     0* Connected to 127.0.0.1 (127.0.0.1) port 3128 (#0)
> * Establish HTTP proxy tunnel to ya.ru:443
>> CONNECT ya.ru:443 HTTP/1.1
>> Host: ya.ru:443
>> User-Agent: curl/7.50.3
>> Proxy-Connection: Keep-Alive
>> 
> < HTTP/1.1 200 Connection established
> <
> * Proxy replied OK to CONNECT request
> * Initializing NSS with certpath: none
>   0     0    0     0    0     0      0      0 --:--:--  0:00:59 --:--:-
> -     0* NSS error -5938 (PR_END_OF_FILE_ERROR)
> * Encountered end of file
> * Curl_http_done: called premature == 1
>   0     0    0     0    0     0      0      0 --:--:--  0:01:00 --:--:-
> -     0
> * Closing connection 0
> curl: (35) Encountered end of file
>
>
>
> No problems, if the option specified explicitly:
>
> # diff etc/squid.conf.default etc/squid.conf
> 59c59,61
> < http_port 3128
> ---
>> http_port 3128 ssl-bump \
>>      cert=/usr/local/squid35/etc/ssl_cert/myCA.pem \
>>      generate-host-certificates
> 73a76,78
>> acl step1 at_step SslBump1
>> ssl_bump peek step1
>> ssl_bump bump all
>
>
> Is it a bug, documentation error or I simply missed something?
>
> Thanks.
>
> Garri
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

- -- 
Cats - delicious. You just do not know how to cook them.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJYE1UYAAoJENNXIZxhPexG6dkIAMEk7PLEQkBdOH9L4ZELMnjm
GalwtMVwpulVMtiiPWShL6GY9mUTZE33hVAjEq3Hw0xj82ZZjI6QsWxqsyq9RvBN
sXWsydx9C0OAULU8oFWW8sv4b8iUGCvW01U8ZxgjhKxVb0n+7BKmcnSk0nR8iXxO
2I6JKPP9nd20Bh5e0zKucmdVyNhkOGq00KJk4a8M7oxunbo0BkTKsOusd90hmjdD
5JRNbT5cJbyA2ZmEGdyi4fM9pNRuIk4WQe+/m3ycpbY8S6ySFEwe0tcW1+hQ5eoS
r16xhbMUtpseejUjRNWIzDO9H7ix57bugyW72oNPhrnEn96+d3vWUyUB+eNaR0E=
=hInQ
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161028/7271c452/attachment.key>

More information about the squid-users mailing list