[squid-users] Squid 4.11 Howto create SSL Bump certificates with only 3-12 months date of expiry

Amos Jeffries squid3 at treenet.co.nz
Fri Jul 10 05:03:41 UTC 2020


On 30/06/20 3:13 am, info wrote:
> 
> Hi Squid Community,
> 
> how can I configure Squid to create SSL Bump Certifications with only
> 3-12 months date of expiry?
> 

As you know Squid uses a helper to generate the certificates. You can
write a helper of your own to generate certificates with any
customizations you like.


> Currently, Squid SSL bumped Certifications are valid 20 years in my
> case, way too long, as Apple & Google & Mozilla will trust only <1 Year
> SSL certifications in the future.
> 

The helper bundled with Squid is supposed to be generating certificates
that mimic the same values received from the origin server.

... except that your config below shows that you are requiring
certificates to be generated without any origin Server information.
Which IIRC means that the CA certificate you configured is used as the
information source for dates etc.


> Thanks for any help!
> Schroeffu
> 
> my conf:
> 
> http_port {{ inventory_hostname }}:{{ squid_port }} ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/etc/squid/certs/(***).pem key=/etc/squid/certs/(***).pem
> sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db
> -M 4MB
> always_direct allow all

always_direct is *not* required for SSL-Bump. It was only ever needed
for a 2-week period many years ago for a bug workaround. Please remove
unless you explicitly have other reasons to use it.

> ssl_bump bump !domains_dont_sslbump

There are three solutions you might use. In order of best to worst they are:

1) Fix the ssl_bump behaviour:

 acl step1 at_step SslBump1
 ssl_bump peek step1
 ssl_bump splice domains_dont_sslbump
 ssl_bump stare all
 ssl_bump bump all


2) Fix the CA certificate you are using

Check the dates configured there give that cert a sort validity time. I
expect you have one saying 20-years right now.

You may want to do this even if you do option #1 above.


3) write your own cert generator helper


Amos


More information about the squid-users mailing list