RE: [squid-users] Using trusted fake CA cert for ssl-bump on http_port

Hi Sridhar,

I don’t see the following in your config file :

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 50

always_direct allow all

/var/lib/ssl_db should be owned by squid. This is where the generated
certificates will be stored. This folder is created by using the command :

ssl_crtd -c -s /var/lib/ssl_db

Regards,
Shinoj.

> -----Original Message-----
> From: Sridhar N [mailto:sridhar.narasimhan_at_live.com]
> Sent: Thursday, December 05, 2013 10:56 AM
> To: squid-users_at_squid-cache.org
> Subject: [squid-users] Using trusted fake CA cert for ssl-bump on
http_port
>
> Hi,
>
> I'm trying to get the ssl-bump & dynamic cert generation working for
> CONNECT requests. However, I get SSL cert warnings for each site. I
tried to
> configure the "fake CA" cert itself (which is imported as trusted
authority in
> the browser), but I'm getting "No valid signing SSL certificate
configured for
> http_port" error.
>
> I know I'm doing something wrong here (more likely related to certs),
but
> would deeply appreciate your assistance.
>
> a) Output of squid -v:
> Squid Cache: Version 3.3.10
> configure options:  '--prefix=/usr/local' '--enable-inline'
'--enable-async-io=8'
> '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap'
'--
> enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--
> enable-icap-client' '--enable-follow-x-forwarded-for'
'--enable-basic-auth-
> helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_ra
> dius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm,' '--
> enable-digest-auth-helpers=ldap,password' '--enable-negotiate-auth-
> helpers=squid_kerb_auth' '--enable-external-acl-
> helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-
> arp-acl' '--enable-zph-qos' '--enable-wccpv2' '--disable-translation'
'--with-
> filedescriptors=65536' '--with-large-files' '--with-default-user=proxy'
'--
> enable-ssl' '--enable-esi' '--enable-ssl-crtd'
>
> SSL & ssl-crtd are enabled. The build is the recompile of the latest
stable and
> running on Ubuntu 13.04
>
> b) This is my squid.conf
> root_at_ubuntu:~# less /usr/local/etc/squid.conf | egrep -v '^#' | egrep -v
'^$'
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal
network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal
network
> acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet
> src fe80::/10      # RFC 4291 link-local (directly plugged) machines acl
SSL_ports
> port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localnet
> http_access allow localhost
> http_access allow all
> http_port 4128 ssl-bump  generate-host-
> certificates=on  cert=/etc/ssl/demoCA/CA/cacert.pem
> key=/etc/ssl/demoCA/CA/cacert.key ssl_bump server-first all coredump_dir
> /usr/local/var/cache/squid
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> c) This is the output of squid -k parse:
> 2013/12/05 10:46:32| Startup: Initializing Authentication Schemes ...
> 2013/12/05 10:46:32| Startup: Initialized Authentication Scheme 'basic'
> 2013/12/05 10:46:32| Startup: Initialized Authentication Scheme 'digest'
> 2013/12/05 10:46:32| Startup: Initialized Authentication Scheme
'negotiate'
> 2013/12/05 10:46:32| Startup: Initialized Authentication Scheme 'ntlm'
> 2013/12/05 10:46:32| Startup: Initialized Authentication.
> 2013/12/05 10:46:32| Processing Configuration File:
/usr/local/etc/squid.conf
> (depth 0)
> 2013/12/05 10:46:32| Processing: acl localnet src 10.0.0.0/8 # RFC1918
> possible internal network
> 2013/12/05 10:46:32| Processing: acl localnet src 172.16.0.0/12 #
RFC1918
> possible internal network
> 2013/12/05 10:46:32| Processing: acl localnet src 192.168.0.0/16 #
RFC1918
> possible internal network
> 2013/12/05 10:46:32| Processing: acl localnet src fc00::/7       # RFC
4193 local
> private network range
> 2013/12/05 10:46:32| Processing: acl localnet src fe80::/10      # RFC
4291 link-
> local (directly plugged) machines
> 2013/12/05 10:46:32| Processing: acl SSL_ports port 443
> 2013/12/05 10:46:32| Processing: acl Safe_ports port 80 #
http
> 2013/12/05 10:46:32| Processing: acl Safe_ports port 21 #
ftp
> 2013/12/05 10:46:32| Processing: acl Safe_ports port 443 #
> https
> 2013/12/05 10:46:32| Processing: acl Safe_ports port 70 #
> gopher
> 2013/12/05 10:46:32| Processing: acl Safe_ports port 210 #
wais
> 2013/12/05 10:46:32| Processing: acl Safe_ports port 1025-65535 #
> unregistered ports
> 2013/12/05 10:46:32| Processing: acl Safe_ports port 280 #
> http-mgmt
> 2013/12/05 10:46:32| Processing: acl Safe_ports port 488 #
gss-
> http
> 2013/12/05 10:46:32| Processing: acl Safe_ports port 591 #
> filemaker
> 2013/12/05 10:46:32| Processing: acl Safe_ports port 777 #
> multiling http
> 2013/12/05 10:46:32| Processing: acl CONNECT method CONNECT
> 2013/12/05 10:46:32| Processing: http_access deny !Safe_ports
> 2013/12/05 10:46:32| Processing: http_access deny CONNECT !SSL_ports
> 2013/12/05 10:46:32| Processing: http_access allow localhost manager
> 2013/12/05 10:46:32| Processing: http_access deny manager
> 2013/12/05 10:46:32| Processing: http_access allow localnet
> 2013/12/05 10:46:32| Processing: http_access allow localhost
> 2013/12/05 10:46:32| Processing: http_access allow all
> 2013/12/05 10:46:32| Processing: http_port 4128 ssl-bump  generate-host-
> certificates=on  cert=/etc/ssl/demoCA/CA/cacert.pem
> key=/etc/ssl/demoCA/CA/cacert.key
> 2013/12/05 10:46:32| Processing: ssl_bump server-first all
> 2013/12/05 10:46:32| Processing: coredump_dir /usr/local/var/cache/squid
> 2013/12/05 10:46:32| Processing: refresh_pattern ^ftp:
1440
> 20% 10080
> 2013/12/05 10:46:32| Processing: refresh_pattern ^gopher: 1440 0%
> 1440
> 2013/12/05 10:46:32| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0%
> 0
> 2013/12/05 10:46:32| Processing: refresh_pattern . 0
20%
> 4320
> 2013/12/05 10:46:32| Initializing https proxy context
> 2013/12/05 10:46:32| Initializing http_port [::]:4128 SSL context
> 2013/12/05 10:46:32| Using certificate in /etc/ssl/demoCA/CA/cacert.pem
> 2013/12/05 10:46:32| storeDirWriteCleanLogs: Starting...
> 2013/12/05 10:46:32|   Finished.  Wrote 0 entries.
> 2013/12/05 10:46:32|   Took 0.00 seconds (  0.00 entries/sec).
> FATAL: No valid signing SSL certificate configured for http_port
[::]:4128 Squid
> Cache (Version 3.3.10): Terminated abnormally.
> CPU Usage: 0.008 seconds = 0.008 user + 0.000 sys Maximum Resident Size:
> 25808 KB Page faults with physical i/o: 0
>
> d) If I change the certificate to an certificate signed by this CA, then
it works
> (the common Name in the certificate is replaced) but i've to add
exception
> for each site.
>
> Thanks,
> Sridhar
Received on Mon Dec 09 2013 - 06:25:52 MST