[squid-users] HTTPS woes
Olly Lennox
oliver at lennox-it.uk
Wed Apr 19 09:22:12 UTC 2017
Thanks Amos, I'll install this. One last question if I may! Squid is working fine now with both HTTP and HTTPS but for some reason it is refusing to launch on boot.
It works perfectly when started with "service squid start" but not boot. The error is:
squid.service - LSB: Squid HTTP Proxy version 3.x
Loaded: loaded (/etc/init.d/squid; generated; vendor preset: enabled)
Active: failed (Result: resources) since Wed 2017-04-19 10:19:18 BST; 53s ago
Docs: man:systemd-sysv-generator(8)
Process: 598 ExecStart=/etc/init.d/squid start (code=exited, status=0/SUCCESS)
Apr 19 10:19:13 raspberrypi (squid-1)[1606]: Ipc::Mem::Segment::open failed to shm_open(/squid-ssl_session_cache.shm): (2) No such file or direct
Apr 19 10:19:13 raspberrypi squid[1283]: Squid Parent: (squid-1) process 1606 exited with status 1
Apr 19 10:19:16 raspberrypi squid[1283]: Squid Parent: (squid-1) process 1633 started
Apr 19 10:19:18 raspberrypi squid[1283]: Squid Parent: (squid-1) process 1633 exited with status 1
Apr 19 10:19:18 raspberrypi squid[1283]: Squid Parent: (squid-1) process 1633 will not be restarted due to repeated, frequent failures
Apr 19 10:19:18 raspberrypi squid[1283]: Exiting due to repeated, frequent failures
Apr 19 10:19:18 raspberrypi systemd[1]: squid.service: Daemon never wrote its PID file. Failing.
Apr 19 10:19:18 raspberrypi systemd[1]: Failed to start LSB: Squid HTTP Proxy version 3.x.
Apr 19 10:19:18 raspberrypi systemd[1]: squid.service: Unit entered failed state.
Apr 19 10:19:18 raspberrypi systemd[1]: squid.service: Failed with result 'resources'.
Any ideas?
________________________________
From: Amos Jeffries <squid3 at treenet.co.nz>
To: squid-users at lists.squid-cache.org
Sent: Wednesday, 19 April 2017, 5:22
Subject: Re: [squid-users] HTTPS woes
Olly, Debian provides a ca-certificates package containing the Mozilla CA list. It is updated whenever the CA set changes. Though of course you should have apt connected to the relevant security repository (jesse-security?) for regular updates.
Amos
On 19/04/17 03:10, Olly Lennox wrote:
Would you mind sharing the script you use?
>
>oliver at lennox-it.uk
>lennox-it.uk
>tel: 07900 648 252
>
>
>
>
>________________________________
> From: Yuri Voinov <yvoinov at gmail.com>
>To: Olly Lennox <oliver at lennox-it.uk>; "squid-users at lists.squid-cache.org" <squid-users at lists.squid-cache.org>
>Sent: Tuesday, 18 April 2017, 16:00
>Subject: Re: [squid-users] HTTPS woes
>
>
>
>I have automated cron job to refresh Mozilla CA's bundle by monthly basis.
>Intermediate CA's, however, requires non-scheduled maintenance. I've maintain it by demand.
>
>
>18.04.2017 20:17, Olly Lennox пишет:
>
>Thanks Yuri! The Mozilla Bundle has worked!! Most of the major sites seem to be working which is all we need. How often do these certificates refresh? Would they need updating every month or so?
>>
>>oliver at lennox-it.uk
>>lennox-it.uk
>>tel: 07900 648 252
>>
>>
>>
>>
>>________________________________
>> From: Yuri Voinov <yvoinov at gmail.com>
>>To: Olly Lennox <oliver at lennox-it.uk>; "squid-users at lists.squid-cache.org" <squid-users at lists.squid-cache.org>
>>Sent: Tuesday, 18 April 2017, 14:43
>>Subject: Re: [squid-users] HTTPS woes
>>
>>
>>
>>You talked about two different things.
>>1. root CA usually built-in in clients. For standalone use, root CA (from Mozilla) usually distributes with openssl distributions. If you need (or your openssl distribution does not contains root CAs), you can find separately distributed Mozilla CA's by short googling:
>>
>>https://www.google.com/search?q=Mozilla+CA+bundle
>>2. Intermediate CA's is subordinate for roots CA. It does not exists by gouverned repository (because of supporting it is work, manual work and should be do by somebody), moreover, it spreaded across CA authorities. There is no automated tool to support this _intermediate_list. The problem also: intermediate CA's usuallu has much short validity period instead of roots, and should supports all time at time.
>>Finally - it you want to use Squid with SSL Bump, you should understand PKI infrastructure and yes - you should support root CA & intermediate CAs on proxy by yourself all time. There is no free or payment basis service which is do it for you.
>>
>>
>>18.04.2017 19:35, Olly Lennox пишет:
>>
>>So anyone who wants to use Squid over HTTPS in the way has to build this repository themselves by manually downloading all the CA bundles?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>________________________________
>>> From: Yuri <yvoinov at gmail.com>
>>>To: Olly Lennox <oliver at lennox-it.uk>; "squid-users at lists.squid-cache.org" <squid-users at lists.squid-cache.org>
>>>Sent: Tuesday, 18 April 2017, 14:03
>>>Subject: Re: [squid-users] HTTPS woes
>>>
>>>
>>>
>>>
>>>
>>>
>>>18.04.2017 18:56, Olly Lennox пишет:
>>>
>>>I'm using
>>>>
>>>>
>>>>sslproxy_foreign_intermediate_certs
>>>>
>>>>
>>>>Is this the same thing?
>>>>
No. You firstly required CA roots available for squid. CA roots and intermediate is the different things.
>>>
>>>
>>>>
>>>>Also is there anywhere to get a bundle of all the major CA intermdiate certs or do you have to download them all manually?
No. You should build it by yourself.
>>>
>>>
>>>
>>>>
>>>>Cheers,
>>>>
>>>>oliver at lennox-it.uk
>>>>lennox-it.uk
>>>>tel: 07900 648
252
>>>>
>>>>
>>>>
>>>>
>>>>________________________________
>>>> From: Yuri <yvoinov at gmail.com>
>>>>To: squid-users at lists.squid-cache.org
>>>>Sent: Tuesday, 18 April 2017, 13:51
>>>>Subject: Re: [squid-users] HTTPS woes
>>>>
>>>>
>>>>
>>>>Try to specify roots CA bundle/dir explicity by specifying one of this
>>>>params:
>>>>
>>>>
>>>># TAG:
sslproxy_cafile
>>>># file
containing CA
certificates
to use when
verifying
server
>>>>#
certificates
while proxying https:// URLs
>>>>#Default:
>>>># none
>>>>
>>>># TAG:
sslproxy_capath
>>>># directory
containing CA
certificates
to use when
verifying
>>>># server
certificates
while proxying https:// URLs
>>>>#Default:
>>>># none
>>>>
>>>>
>>>>
>>>>18.04.2017
18:46, Olly
Lennox пишет:
>>>>> Hi All,
>>>>>
>>>>> Still
having
problems here.
This is my
https config
now:
>>>>>
>>>>>
>>>>>
---------------------------------https_port
3129 intercept
ssl-bump
generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squid.crt
key=/etc/squid3/ssl_cert/squid.key
options=NO_SSLv3 dhparams=/etc/squid3/ssl_cert/dhparam.pem
>>>>>
>>>>> acl step1
at_step
SslBump1
>>>>> ssl_bump
peek step1
>>>>> ssl_bump
bump all
>>>>>
sslproxy_options
NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
>>>>>
sslproxy_cipher
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>>>>>
>>>>>
sslcrtd_program
/usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
>>>>>
sslcrtd_children
8 startup=1
idle=1
>>>>>
>>>>>
---------------------------------
>>>>>
>>>>>
>>>>> I'm
running
version 3.5.23
with openssl
1.0. I've had
to disable
libecap
because I
couldn't build
3.5 with ecap
enabled. I'm
getting the
following
error when
trying to
connect with
SSL:
>>>>>
>>>>>
---------------------------------
>>>>>
>>>>> The
following
error was
encountered
while trying
to retrieve
the URL: https://www.google.co.uk/*
>>>>>
>>>>> Failed to
establish a
secure
connection to
216.58.198.67
>>>>>
>>>>> The
system
returned:
>>>>>
>>>>> (71)
Protocol error
(TLS code:
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>>>>> SSL
Certficate
error:
certificate
issuer (CA)
not known:
/C=US/O=Equifax/OU=Equifax
Secure
Certificate
Authority
>>>>>
>>>>> This
proxy and the
remote host
failed to
negotiate a
mutually
acceptable
security
settings for
handling your
request. It is
possible that
the remote
host does not
support secure
connections,
or the proxy
is not
satisfied with
the host
security
credentials.
>>>>>
>>>>> Your
cache
administrator
is webmaster.
>>>>>
>>>>> Generated
Tue, 18 Apr
2017 12:23:40
GMT by
raspberrypi
(squid/3.5.23)
>>>>>
---------------------------------
>>>>>
>>>>> The CA is
always listed
as not known
not matter
what site I
try I always
get this
error.
>>>>>
>>>>> Any
ideas?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Olly
>>>>>
>>>>>
________________________________
>>>>> From:
Olly Lennox
<oliver at lennox-it.uk>
>>>>> To: Amos
Jeffries <squid3 at treenet.co.nz>; "squid-users at lists.squid-cache.org" <squid-users at lists.squid-cache.org>
>>>>> Sent:
Sunday, 16
April 2017,
9:31
>>>>> Subject:
Re:
[squid-users]
HTTPS woes
>>>>>
>>>>>
>>>>>
>>>>> Thanks
Amos, it's
finally built
but I had to
disabled ecap,
for whatever
reason this
kept failing
(with version
1.0.1
installed). It
failed on a
reference to
the Area
function I
think but I
don't have the
error message
copied. I'm
trying now to
configure the
ssl stare/peek
and will let
you know how
it goes.
>>>>>
>>>>> Olly
>>>>>
>>>>> oliver at lennox-it.uk
>>>>>
lennox-it.uk
>>>>> tel:
07900 648 252
>>>>>
>>>>>
>>>>>
>>>>>
________________________________
>>>>> From:
Amos Jeffries
<squid3 at treenet.co.nz>
>>>>> To: squid-users at lists.squid-cache.org
>>>>> Sent:
Saturday, 15
April 2017,
23:07
>>>>> Subject:
Re:
[squid-users]
HTTPS woes
>>>>>
>>>>>
>>>>>
>>>>> On
15/04/2017
9:59 a.m.,
Olly Lennox
wrote:
>>>>>> Hi
Guys.
>>>>>> I'm
still
struggling
with this. I'm
trying to
build a
version of 3.5
but I just
can't get it
to work. I'm
currently
attempting to
rebuild the
stretch
package with
SSL enabled
but build
keeps failing
with the
following:
>>>>>>
../../src/ssl/gadgets.h:83:45:
error:
âCRYPTO_LOCK_X509â
was not
declared in
this scope
typedef
LockingPointer<X509,
X509_free_cpp,
CRYPTO_LOCK_X509> X509_Pointer;
^~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:83:61:
error:
template
argument 3 is
invalid
typedef
LockingPointer<X509,
X509_free_cpp,
CRYPTO_LOCK_X509> X509_Pointer;
^../../src/ssl/gadgets.h:89:53: error: âCRYPTO_LOCK_EVP_PKEYâ was not
declared in
this scope
typedef
LockingPointer<EVP_PKEY,
EVP_PKEY_free_cpp,
CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;
^~~~~~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:89:73:
error:
template
argument 3 is
invalid
typedef
LockingPointer<EVP_PKEY,
EVP_PKEY_free_cpp,
CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;
^../../src/ssl/gadgets.h:116:43: error: âCRYPTO_LOCK_SSLâ was not
declared in
this scope
typedef
LockingPointer<SSL,
SSL_free_cpp,
CRYPTO_LOCK_SSL> SSL_Pointer;
^~~~~~~~~~~~~~~../../src/ssl/gadgets.h:116:58: error: template argument
3 is invalid
typedef
LockingPointer<SSL,
SSL_free_cpp,
CRYPTO_LOCK_SSL> SSL_Pointer;
^
>>>>>> Any
ideas?
>>>>>
>>>>>
>>>>> On
Jesse/stable:
>>>>>
>>>>> apt-get
build-dep
squid3
>>>>> apt-get
install
libss-dev
>>>>>
>>>>>
>>>>> On
stretch/testing/unstable:
>>>>>
>>>>> apt-get
build-dep
squid
>>>>> apt-get
install
libss1.0-dev
>>>>>
>>>>>
>>>>> That
should do it
for you.
>>>>>
>>>>> Amos
>>>>>
>>>>>
>>>>>
_______________________________________________
>>>>>
squid-users
mailing list
>>>>> squid-users at lists.squid-cache.org
>>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>>
>>>>>
>>>>>
>>>>>
_______________________________________________
>>>>>
squid-users
mailing list
>>>>> squid-users at lists.squid-cache.org
>>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>
>>>>>
_______________________________________________
>>>>>
squid-users
mailing list
>>>>> squid-users at lists.squid-cache.org
>>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>
>>>>
>>>>_______________________________________________
>>>>squid-users
mailing list
>>>>squid-users at lists.squid-cache.org
>>>>http://lists.squid-cache.org/listinfo/squid-users
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>--
>>Bugs to the Future
>>
>>
>
>--
>Bugs to the Future
>
>
>
>
>_______________________________________________
squid-users mailing list squid-users at lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list