[squid-users] SSL BUMP

squid3 at treenet.co.nz squid3 at treenet.co.nz
Wed May 12 12:46:48 UTC 2021


On 2021-05-10 22:26, Stephane Simon wrote:
> Hello,
> 
> I try to configure https  with ssl bump.
> I use redhat 8.
> 
> i follow https://blog.microlinux.fr/squid-https-centos-7/
> when i restart squid, he doesn't cooperate and say:
> 
> "FATAL: The usr/lib64/squid/security_file_certgen -s
> /var/lib/squid/ssl_db -M 64MB helpers are crashing too rapidly, need
> help!"
> 
> i don't know how to fix this error..i dont know why i've this error ^^
> 
> Does someone have an idea please ?

The helper crashing is required by Squid to generate certificates for 
bumping.
Without it working perfectly Squid cannot handle any HTTPS traffic.


> 
> http_port 3130
> http_port 3128 intercept
> https_port 3129 intercept ssl-bump \
>   cert=/etc/squid/ssl_cert/certificat.pem \
>   generate-host-certificates=on \
>   dynamic_cert_mem_cache_size=64MB
> 
> #SSL certificate generation
> sslcrtd_program usr/lib64/squid/security_file_certgen -s

The path should begin with '/usr/' not just 'usr/

> /var/lib/squid/ssl_db -M 64MB

Check that this /var path actually exists. That the low-privilege 
account the proxy uses has both read and write access to it.

Run the helper command to initialize the database before starting Squid. 
Do so using the low-privilege account Squid uses to ensure the database 
files have correct ownership.



> sslcrtd_children 32 startup=5 idle=1
> 
> # SSL-Bump
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
> 

Please be aware that this configuration is trying to forge server 
certificates without having any details about the real server 
certificate. When you are past the helper problem it is likely that this 
basic configuration will cause a number of TLS problems.

For bumping as much as possible this is a better config:

  acl step1 at_step SslBump1
  ssl_bump peek step1
  ssl_bump stare all
  ssl_bump bump all


Amos


More information about the squid-users mailing list