Alex Rousskov wrote:
> On Wed, 2009-01-07 at 10:30 -0800, David Molnar wrote:
>> I am trying to run
>> the DynamicSslCert branch squid and running into a problem. It looks
>> like squid is somehow losing track of the hostname in the code that
>> attempts to generate the SSL certificate on the fly.
>
> Thank you for trying the new code and providing detailed debugging info.
>
> Before we dive into dynamic certificate generation bugs, let's verify
> that your setup works without dynamic certificate generation. Have you
> tried running stock Squid 3.1 with SslBump enabled? Does it work? You
> should be able to surf fine, but should get many certificate mismatch
> warnings/errors.
>
> I believe the SslBump wiki page has the basic config sample. Please
> confirm that stock SslBump works and we will go from there.
>
> Thank you,
>
> Alex.
>
>> I understand that this is experimental code and not guaranteed to work,
>> but if anyone happens to have an idea, or sees something I've
>> overlooked, I'd be grateful. Details follow.
>>
>> I started by setting up an http_port in my squid_conf like so:
>>
>> http_port 3128 sslBump generate-host-certificates=on
>> ca-config=/usr/local/ssl/openssl.cnf
>>
>> My full squid.conf is at
>> http://www.cs.berkeley.edu/~dmolnar/dyn-issue-squid.conf
>>
>> I then set up firefox to use 127.0.0.1:3128 as my proxy for http and
>> https. I see http requests handled properly at this point. When I go to
>> "https://www.bankofamerica.com" in firefox, however, I see nothing.
>>
>> I checked my cache.log. This is an excerpt from my cache.log:
>> 2009/01/05 22:32:21.661| httpRequestFree: www.bankofamerica.com:443
>> 2009/01/05 22:32:21.661| client_side.cc(3133) switchToHttps: converting
>> FD 9 to SSL
>> 2009/01/05 22:32:21.661| client_side.cc(3106) getSslContext: Generating
>> SSL certificate for
>>
>> At this point it looks like "host" is set equal to "".
>> Immediately after I see this:
>>
>> 2009/01/05 22:32:21.661| ssl_support.cc(1207)
>> generateCaSignedSslCertificate: Generating CA-signed certificate for
>> 2009/01/05 22:32:21.661| ssl_support.cc(1180) runSystemCommand: Running:
>> openssl req -new -newkey rsa:1024 -nodes -days 500 -subj /C=EN/CN= -out
>> server.csr -keyout server.key 2>/dev/null
>> 2009/01/05 22:32:21.661| ssl_support.cc(1182) runSystemCommand: Command
>> (openssl req -new -newkey rsa:1024 -nodes -days 500 -subj /C=EN/CN= -out
>> server.csr -keyout server.key 2>/dev/null) failed
>> 2009/01/05 22:32:21.708| ssl_support.cc(1193)
>> generateSelfSignedSslCertificate: Generating self-signed certificate for
>> 2009/01/05 22:32:21.708| ssl_support.cc(1180) runSystemCommand: Running:
>> openssl req -new -newkey rsa:1024 -nodes -x509 -days 500 -subj /C=EN/CN=
>> -out server.crt -keyout server.key 2>/dev/null
>> 2009/01/05 22:32:21.708| ssl_support.cc(1182) runSystemCommand: Command
>> (openssl req -new -newkey rsa:1024 -nodes -x509 -days 500 -subj
>> /C=EN/CN= -out server.crt -keyout server.key 2>/dev/null) failed
>> 2009/01/05 22:32:21.787| client_side.cc(3111) getSslContext: Failed to
>> generate SSL cert for
>> 2009/01/05 22:32:21.787| Closing SSL FD 9 as lacking SSL context
>>
>> Full log (warning: kind of long) at
>> http://www.cs.berkeley.edu/~dmolnar/dyn-issue-cache.log
>>
>> I tried the openssl commands on the command line, and the failure comes
>> because openssl complains about a CN of "". That then causes a non-zero
>> return code, in turn causing getSslContext to report failure.
>>
>> Does anyone have a suggestion for what to try next? I also tried setting
>> up an https_port with the same options as above, i.e.
>>
>> http_port 3129 sslBump generate-host-certificates=on
>> ca-config=/usr/local/ssl/openssl.cnf
>>
>> Unfortunately this led to an error "failure to acquire certificate" on
>> startup, and a note in the cache.log that port 3129 was disabled due to
>> certificate error. Do I need to also add additional options of some kind?
>>
>> Thanks again for any help,
>> -David Molnar
>>
>
Sounds like this may be related to bug 2536 with basic HTTPS.
http://www.squid-cache.org/bugs/show_bug.cgi?id=2536
Amos
-- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3Received on Fri Jan 09 2009 - 05:00:15 MST
This archive was generated by hypermail 2.2.0 : Fri Jan 09 2009 - 12:00:02 MST