[squid-users] sslcrtvalidator_program

Alex Rousskov rousskov at measurement-factory.com
Mon Dec 14 19:05:13 UTC 2020


On 12/14/20 1:55 PM, Eliezer Croitor wrote:

> We can use this as an example for a single transaction in the wiki:
> https://gist.githubusercontent.com/elico/a0397c879776336eeae569317015edc1/raw/b34dff8ece76e480007a950655efff3564afcccc/cache.log

> Let me know if it's enough to document this subject.

I am not sure I understand your question -- the format is already
documented. If you think that attaching an example of a raw helper
request to that wiki page would help others, please feel free to do so!
Just avoid the implication that all helper requests would have the same
set of fields.

Alex.


> -----Original Message-----
> From: Alex Rousskov <rousskov at measurement-factory.com> 
> Sent: Monday, December 14, 2020 6:42 PM
> To: squid-users at lists.squid-cache.org
> Cc: Eliezer Croitor <ngtech1ltd at gmail.com>
> Subject: Re: [squid-users] sslcrtvalidator_program
> 
> On 12/14/20 4:26 AM, Eliezer Croitor wrote:
>> So starts with:
>> 0 cert_validate... line
> 
>> And ends with?:
>> error_name_0=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
>> error_cert_0=cert0
>> ?
> 
> No. The size of the key=value block is specified on the first request
> line. Please try to follow documentation that Amos has pointed you to:
> https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator
> 
> If that documentation is missing some details, we should fix it.
> 
> 
> 
>> I am unsure, let me try to re-read this section.
>> I am missing a fake helper for this..
>> And a "real world" full example.
> 
>> Can someone simulate it for me?
> 
> Glad you found
> src/security/cert_validators/fake/security_fake_certverify.pl.in. I hope
> it still works!
> 
> 
> HTH,
> 
> Alex.
> 
> 
>> -----Original Message-----
>> From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Amos Jeffries
>> Sent: Monday, December 14, 2020 10:15 AM
>> To: squid-users at lists.squid-cache.org
>> Subject: Re: [squid-users] sslcrtvalidator_program
>>
>> On 14/12/20 9:11 am, Eliezer Croitor wrote:
>>> I am trying to understand the way the sslcrtvalidator_program  works.
>>> I am pretty sure I have asked this in the past but didn’t found it for some
>>> reason.
>>>
>>> I want to read line by line so.
>>> /^-----BEGIN CERTIFICATE-----$/
>>> ***
>>> /^-----END CERTIFICATE-----$/
>>>
>>> What else should I look for? I was thinking about validating with some extra
>>> values in the request, for example ip/domain:port and sni.
>>> Are these available in some way?
>>
>>
>> The details you need are all here:
>>
>>  
>> <https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator>
>>
>> Notice that it receives chains of certificates - maybe several, and/or 
>> out of order. Whatever the client sends.
>>
>>
>> Amos
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
> 



More information about the squid-users mailing list