Re: [squid-users] Need help on SSL bump and certificate chain

From: Guy Helmer <guy.helmer_at_palisadesystems.com>
Date: Wed, 10 Apr 2013 10:31:31 -0500

On Apr 10, 2013, at 10:05 AM, Prasanna Venkateswaran <prascalls_at_gmail.com> wrote:

> Hi,
> I spent more time on this today by looking at the code. I see from
> the code that squid does not accept certificates which require
> passphrase to read the private key.
>
> In the function readSslPrivateKey(...), I see this
> EVP_PKEY *pkey = PEM_read_bio_PrivateKey(bio.get(), NULL,
> passwd_callback, NULL);
>
> The passphrase argument is NULL. The certificate file I was
> using requires a passphrase to read the keys while the self signed
> certificate does not require it and hence it was working.
>
> Am I right in my understanding? Is this the way squid is
> designed to work or is this a bug?
>

Even if you could load this private key, I would not expect the matching certificate to be able to sign other certificates in support of man-in-the-middle decryption. Otherwise anyone could perform man-in-the-middle decryption with dynamically generated certificates that clients would trust.

To implement dynamic certificate generation, you need your own certificate capable of signing other certificates, and then your clients have to be configured to trust that certificate. It sounds like you had previously implemented that approach.

Guy

>
> On 4/9/13, Prasanna Venkateswaran <prascalls_at_gmail.com> wrote:
>> Hi,
>> I am using squid 3.3.1 to enable the dynamic certificate
>> generation functionality and it works fine with a self signed
>> certificate. I now have a actual signed certificate and the ssl chain
>> is such that my certificate -> CA1 -> Root CA.
>>
>> I cleared the previous cert db directory and re initilaized it. I
>> then created a cert.chain file in the format mentioned below.
>>
>> -----BEGIN CERTIFICATE-----
>> <public key of my certificate >
>> -----END CERTIFICATE-----
>> -----BEGIN RSA PRIVATE KEY-----
>> < my private key >
>> -----END RSA PRIVATE KEY-----
>> -----BEGIN CERTIFICATE-----
>> <public key of CA1 >
>> -----END CERTIFICATE-----
>> -----BEGIN CERTIFICATE-----
>> <public key of Root CA >
>> -----END CERTIFICATE-----
>>
>> squid.conf:
>> https_port 3129 intercept generate-host-certificates=on
>> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/cert.chain
>> ssl-bump
>>
>> But when i start squid , i get the following error.
>>
>> /usr/sbin/squid start
>> sh: (null): not found
>> FATAL: No valid signing SSL certificate configured for https_port
>> 0.0.0.0:3129
>> Squid Cache (Version 3.3.1): Terminated abnormally.
>> CPU Usage: 0.050 seconds = 0.050 user + 0.000 sys
>> Maximum Resident Size: 0 KB
>> Page faults with physical i/o: 0
>>
>>
>> I also tried with just my cert and private key without the chain
>> information and I get the same error there also. Am I missing
>> something here?
>>
>> Regards,
>> Prasanna
>>
Received on Wed Apr 10 2013 - 15:32:21 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 11 2013 - 12:00:03 MDT