[squid-users] Re: Need help on SSL bump and certificate chain

From: Prasanna Venkateswaran <prascalls_at_gmail.com>
Date: Wed, 10 Apr 2013 20:35:35 +0530

Hi,
    I spent more time on this today by looking at the code. I see from
the code that squid does not accept certificates which require
passphrase to read the private key.

In the function readSslPrivateKey(...), I see this
EVP_PKEY *pkey = PEM_read_bio_PrivateKey(bio.get(), NULL,
passwd_callback, NULL);

       The passphrase argument is NULL. The certificate file I was
using requires a passphrase to read the keys while the self signed
certificate does not require it and hence it was working.

       Am I right in my understanding? Is this the way squid is
designed to work or is this a bug?

Regards,
Prasanna

On 4/9/13, Prasanna Venkateswaran <prascalls_at_gmail.com> wrote:
> Hi,
> I am using squid 3.3.1 to enable the dynamic certificate
> generation functionality and it works fine with a self signed
> certificate. I now have a actual signed certificate and the ssl chain
> is such that my certificate -> CA1 -> Root CA.
>
> I cleared the previous cert db directory and re initilaized it. I
> then created a cert.chain file in the format mentioned below.
>
> -----BEGIN CERTIFICATE-----
> <public key of my certificate >
> -----END CERTIFICATE-----
> -----BEGIN RSA PRIVATE KEY-----
> < my private key >
> -----END RSA PRIVATE KEY-----
> -----BEGIN CERTIFICATE-----
> <public key of CA1 >
> -----END CERTIFICATE-----
> -----BEGIN CERTIFICATE-----
> <public key of Root CA >
> -----END CERTIFICATE-----
>
> squid.conf:
> https_port 3129 intercept generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/cert.chain
> ssl-bump
>
> But when i start squid , i get the following error.
>
> /usr/sbin/squid start
> sh: (null): not found
> FATAL: No valid signing SSL certificate configured for https_port
> 0.0.0.0:3129
> Squid Cache (Version 3.3.1): Terminated abnormally.
> CPU Usage: 0.050 seconds = 0.050 user + 0.000 sys
> Maximum Resident Size: 0 KB
> Page faults with physical i/o: 0
>
>
> I also tried with just my cert and private key without the chain
> information and I get the same error there also. Am I missing
> something here?
>
> Regards,
> Prasanna
>
Received on Wed Apr 10 2013 - 15:05:44 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 10 2013 - 12:00:05 MDT