[squid-users] Re: missing hostname in DynamicSslCert branch code ?

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Thu, 08 Jan 2009 21:47:50 -0700

On Wed, 2009-01-07 at 10:30 -0800, David Molnar wrote:
> I am trying to run
> the DynamicSslCert branch squid and running into a problem. It looks
> like squid is somehow losing track of the hostname in the code that
> attempts to generate the SSL certificate on the fly.

Thank you for trying the new code and providing detailed debugging info.

Before we dive into dynamic certificate generation bugs, let's verify
that your setup works without dynamic certificate generation. Have you
tried running stock Squid 3.1 with SslBump enabled? Does it work? You
should be able to surf fine, but should get many certificate mismatch
warnings/errors.

I believe the SslBump wiki page has the basic config sample. Please
confirm that stock SslBump works and we will go from there.

Thank you,

Alex.

> I understand that this is experimental code and not guaranteed to work,
> but if anyone happens to have an idea, or sees something I've
> overlooked, I'd be grateful. Details follow.
>
> I started by setting up an http_port in my squid_conf like so:
>
> http_port 3128 sslBump generate-host-certificates=on
> ca-config=/usr/local/ssl/openssl.cnf
>
> My full squid.conf is at
> http://www.cs.berkeley.edu/~dmolnar/dyn-issue-squid.conf
>
> I then set up firefox to use 127.0.0.1:3128 as my proxy for http and
> https. I see http requests handled properly at this point. When I go to
> "https://www.bankofamerica.com" in firefox, however, I see nothing.
>
> I checked my cache.log. This is an excerpt from my cache.log:
> 2009/01/05 22:32:21.661| httpRequestFree: www.bankofamerica.com:443
> 2009/01/05 22:32:21.661| client_side.cc(3133) switchToHttps: converting
> FD 9 to SSL
> 2009/01/05 22:32:21.661| client_side.cc(3106) getSslContext: Generating
> SSL certificate for
>
> At this point it looks like "host" is set equal to "".
> Immediately after I see this:
>
> 2009/01/05 22:32:21.661| ssl_support.cc(1207)
> generateCaSignedSslCertificate: Generating CA-signed certificate for
> 2009/01/05 22:32:21.661| ssl_support.cc(1180) runSystemCommand: Running:
> openssl req -new -newkey rsa:1024 -nodes -days 500 -subj /C=EN/CN= -out
> server.csr -keyout server.key 2>/dev/null
> 2009/01/05 22:32:21.661| ssl_support.cc(1182) runSystemCommand: Command
> (openssl req -new -newkey rsa:1024 -nodes -days 500 -subj /C=EN/CN= -out
> server.csr -keyout server.key 2>/dev/null) failed
> 2009/01/05 22:32:21.708| ssl_support.cc(1193)
> generateSelfSignedSslCertificate: Generating self-signed certificate for
> 2009/01/05 22:32:21.708| ssl_support.cc(1180) runSystemCommand: Running:
> openssl req -new -newkey rsa:1024 -nodes -x509 -days 500 -subj /C=EN/CN=
> -out server.crt -keyout server.key 2>/dev/null
> 2009/01/05 22:32:21.708| ssl_support.cc(1182) runSystemCommand: Command
> (openssl req -new -newkey rsa:1024 -nodes -x509 -days 500 -subj
> /C=EN/CN= -out server.crt -keyout server.key 2>/dev/null) failed
> 2009/01/05 22:32:21.787| client_side.cc(3111) getSslContext: Failed to
> generate SSL cert for
> 2009/01/05 22:32:21.787| Closing SSL FD 9 as lacking SSL context
>
> Full log (warning: kind of long) at
> http://www.cs.berkeley.edu/~dmolnar/dyn-issue-cache.log
>
> I tried the openssl commands on the command line, and the failure comes
> because openssl complains about a CN of "". That then causes a non-zero
> return code, in turn causing getSslContext to report failure.
>
> Does anyone have a suggestion for what to try next? I also tried setting
> up an https_port with the same options as above, i.e.
>
> http_port 3129 sslBump generate-host-certificates=on
> ca-config=/usr/local/ssl/openssl.cnf
>
> Unfortunately this led to an error "failure to acquire certificate" on
> startup, and a note in the cache.log that port 3129 was disabled due to
> certificate error. Do I need to also add additional options of some kind?
>
> Thanks again for any help,
> -David Molnar
>
Received on Fri Jan 09 2009 - 04:48:12 MST

This archive was generated by hypermail 2.2.0 : Fri Jan 09 2009 - 12:00:02 MST