Hello,
The attached patch does not give SSL a password-asking callback if
sslpassword_program is not configured. Without a callback, OpenSSL
itself asks for the password (which works if Squid runs in foreground
because of -N).
The fix applies to Ssl::readCertChainAndPrivateKeyFromFiles() context
only. This is not the only place where we read private keys. Some other
places are working correctly, but others may need more work. Also,
Ssl::readCertChainAndPrivateKeyFromFiles() may not really work if
sslpassword_program _is_ configured because it will lack "user data" to
record the password in.
This change is for the better, and the reporter (on squid-users) says
the patch solved his problem, but a complete fix needs
investigation/testing and possibly more development. I am not
volunteering for that additional work at this time.
Thank you,
Alex.
On 05/23/2013 08:27 AM, Dieter Bloms wrote:
> Hi,
>
> I use squid 3.3.5 with the ssl-bump feature.
> My private key is crypted and I want to enter the password at start time.
>
> Since 3.3.5 squid wants to execute a program even I haven't configured
> sslpassword_program and start squid with the -N option.
>
> --snip--
> idvhttpsproxy01:~ # squid -f /etc/squid/squid.conf -NY
> sh: (null): command not found
> FATAL: No valid signing SSL certificate configured for http_port MYIP:8080
> Squid Cache (Version 3.3.5): Terminated abnormally.
> CPU Usage: 0.004 seconds = 0.000 user + 0.004 sys
> Maximum Resident Size: 21248 KB
> Page faults with physical i/o: 0
> --snip--
>
> when I set sslpassword_program to a program which print the password on
> stdout squid starts, but I want to enter the password during start of
> squid.
>
> Is this a bug ?
Yes, I think it is. Please check whether the attached patch works when
you start Squid with -N and _without_ sslpassword_program.
The patch may or may not work when you start Squid without -N and with
sslpassword_program. The outcome depends on whether snprintf() crashes
when given a NULL pointer and on whether your sslpassword_program needs
to know the name of the key file Squid is trying to load (that name will
not be passed to your sslpassword_program). If you can test this
scenario, please do.
Please let us know what your tests show.
The patch is against trunk and is untested beyond compilation. It should
apply to v3.3 as well.
HTH,
Alex.
This archive was generated by hypermail 2.2.0 : Fri May 24 2013 - 12:01:47 MDT