[squid-users] dynamic SSL certificate generation not working in 3.3 from Ahmed Talha Khan on 2012-04-26 (squid-users)

From: Ahmed Talha Khan <auny87_at_gmail.com>
Date: Thu, 26 Apr 2012 11:12:44 +0500

Hey All,

I am trying to use the dynamic SSL certificate generation in 3.3. My
squid setup is an interception proxy setup. So dynamic generation in
interception is only possible after bump-server first available in
3.3.

I have added the Root CA certificate(generated by myself) to the
browser. The problem is that squid is still giving the same
certificate to the client which causes warnings on the browser. By
same i mean the certificate that i created my self which does not have
the correct destination domain. Looking at the presented certificate
in the browser, i can see the fields that i used to create the
certificate. Effectively this means that dynamic certificate
generation is not working.

Also certificates are supposed to be cached in the ssl_db by the
sslcrt_program. There are no certificates being generated in that
path(/usr/local/squid-3.3/var/lib/ssl_db/certs). I can also see the 5
children of sslcrtd running. But seems they are not doing their job.

My config is:
https_port is the involved port since i am in interception mode.

############################################################################
ssl_bump allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

##DYnamic certificate portion
sslcrtd_program /usr/local/squid-3.3/libexec/ssl_crtd -s
/usr/local/squid-3.3/var/lib/ssl_db -M 4MB
sslcrtd_children 5

http_port 192.168.8.40:3128 intercept ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/home/talha/squid/www.sample.com.pem
key=/home/talha/squid/www.sample.com.pem

http_port 192.168.8.40:8080

https_port 192.168.8.40:3129 intercept ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/home/talha/squid/www.sample.com.pem
key=/home/talha/squid/www.sample.com.pem
#############################################################################

I am getting these error in access.log for https sites (port 443 is
being used as it is transparent-itnerception mode)

2012/04/26 13:12:59| clientNegotiateSSL: Error negotiating SSL
connection on FD 14: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
alert bad certificate (1/0)
2012/04/26 13:12:59| clientNegotiateSSL: Error negotiating SSL
connection on FD 16: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
alert bad certificate (1/0)
2012/04/26 13:12:59| clientNegotiateSSL: Error negotiating SSL
connection on FD 25: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
alert bad certificate (1/0)
2012/04/26 13:12:59| clientNegotiateSSL: Error negotiating SSL
connection on FD 23: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
alert bad certificate (1/0)

Which certificate is bad?
Any idea why dynamic generation is not working? Or why this bad
certificate error?

-- 
Regards,
-Ahmed Talha Khan

Received on Thu Apr 26 2012 - 06:12:55 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 27 2012 - 12:00:03 MDT