[squid-users] sslbump with pkcs11 possible ?
Dieter Bloms
squid.org at bloms.de
Wed Feb 12 12:54:47 UTC 2020
Hello,
I have a working setup with openssl, which use softhsm as pkcs11
backend.
I can sign csr requests with openssl command line tool.
Now I want to use this mechanism for squid ssl-bump.
Is it possible to use the pkcs11 mechanism with squid and openssl ?
I tried someting like:
http_port MYIP:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cacert.pem key=pkcs11:id=10 tls-dh=/etc/squid/dhparams.pem
but squid claims:
--snip--
2020/02/12 13:50:35| Initializing https:// proxy context
2020/02/12 13:50:35| Initializing http_port MYIP:3128 TLS contexts
2020/02/12 13:50:35| Using certificate in /etc/squid/cacert.pem
2020/02/12 13:50:35| Using certificate chain in /etc/squid/cacert.pem
2020/02/12 13:50:35| Adding issuer CA: /CN=dietershttpsca
2020/02/12 13:50:35| Using key in pkcs11:id=10
2020/02/12 13:50:35| WARNING: 'HTTP_port MYIP:3128' missing private key in 'pkcs11:id=10'
2020/02/12 13:50:35| storeDirWriteCleanLogs: Starting...
2020/02/12 13:50:35| Finished. Wrote 0 entries.
2020/02/12 13:50:35| Took 0.00 seconds ( 0.00 entries/sec).
2020/02/12 13:50:35| FATAL: No valid signing certificate configured for HTTP_port MYIP:3128
2020/02/12 13:50:35| Squid Cache (Version 4.10): Terminated abnormally.
CPU Usage: 0.816 seconds = 0.812 user + 0.004 sys
Maximum Resident Size: 42240 KB
Page faults with physical i/o: 0
--snip--
does anybody know, whether squid supports it and if yes how to configure it ?
--
regards
Dieter
--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.
More information about the squid-users
mailing list