[squid-users] generate-host-certificates=on fails to generate certificates for _some_ hosts

Alex Rousskov rousskov at measurement-factory.com
Thu Jan 14 04:44:28 UTC 2021


On 1/13/21 9:47 PM, Greg Hulands wrote:
> I have put the ALL,9 log
> here https://gist.github.com/ghulands/4a689db93fc87f9e7f69174f292f1914

> I can see it generates the certificate correctly,

Agreed. Squid receives (from the helper) a generated certificate with
the right wildcard CN, not a CA certificate.


> but couldn’t identify why it didn’t return the cert to the client.

Yeah... Squid is calling the code that should set the certificate for
the client connection. Unfortunately, I cannot easily tell whether that
code is using the right certificate -- the existing debugging may not
even reveal that detail.

If you see a different certificate received by the client -- something I
cannot verify from the logs -- then perhaps Squid incorrectly switched
the right certificate to a different one or Squid failed to set the
right certificate but forgot to report the problem (and the CA
certificate from the related context was used?). These are just wild
guesses.

If you do not get better suggestions for going forward, consider these
last-straw ideas:

* Testing with a client like openssl, try disabling TLS v1.3. It is
being used by the client in your logs. Perhaps there is something in TLS
v1.3 that requires special handing when talking to the client. I know
that Squid has problems with TLS v1.3 on the Squid-to-server
connections... (In your case, the Squid-to-server connection is TLS v1.2
AFAICT).

* Upgrade to the latest v5 or even v6. I see no relevant fixes in v5 but
I could miss them.

* If you are a developer, add more debugging or use gdb to find out what
happens with the Squid-to-client certificate. Otherwise, find a
developer who can do that for you.

Sorry I cannot think of any good options here.

Alex.


More information about the squid-users mailing list