Re: [squid-users] dynamic SSL certificate generation not working in 3.3

From: Guy Helmer <guy.helmer_at_palisadesystems.com>
Date: Thu, 26 Apr 2012 15:26:10 -0500

On Apr 26, 2012, at 1:12 AM, Ahmed Talha Khan wrote:

> Hey All,
>
> I am trying to use the dynamic SSL certificate generation in 3.3. My
> squid setup is an interception proxy setup. So dynamic generation in
> interception is only possible after bump-server first available in
> 3.3.
>
> I have added the Root CA certificate(generated by myself) to the
> browser. The problem is that squid is still giving the same
> certificate to the client which causes warnings on the browser. By
> same i mean the certificate that i created my self which does not have
> the correct destination domain. Looking at the presented certificate
> in the browser, i can see the fields that i used to create the
> certificate. Effectively this means that dynamic certificate
> generation is not working.
>
> Also certificates are supposed to be cached in the ssl_db by the
> sslcrt_program. There are no certificates being generated in that
> path(/usr/local/squid-3.3/var/lib/ssl_db/certs). I can also see the 5
> children of sslcrtd running. But seems they are not doing their job.
>
> My config is:
> https_port is the involved port since i am in interception mode.
>
> ############################################################################
> ssl_bump allow all
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
>
> ##DYnamic certificate portion
> sslcrtd_program /usr/local/squid-3.3/libexec/ssl_crtd -s
> /usr/local/squid-3.3/var/lib/ssl_db -M 4MB
> sslcrtd_children 5
>
> http_port 192.168.8.40:3128 intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/home/talha/squid/www.sample.com.pem
> key=/home/talha/squid/www.sample.com.pem
>
> http_port 192.168.8.40:8080
>
>
> https_port 192.168.8.40:3129 intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/home/talha/squid/www.sample.com.pem
> key=/home/talha/squid/www.sample.com.pem
> #############################################################################
>
>
>
> I am getting these error in access.log for https sites (port 443 is
> being used as it is transparent-itnerception mode)
>
> 2012/04/26 13:12:59| clientNegotiateSSL: Error negotiating SSL
> connection on FD 14: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
> alert bad certificate (1/0)
> 2012/04/26 13:12:59| clientNegotiateSSL: Error negotiating SSL
> connection on FD 16: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
> alert bad certificate (1/0)
> 2012/04/26 13:12:59| clientNegotiateSSL: Error negotiating SSL
> connection on FD 25: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
> alert bad certificate (1/0)
> 2012/04/26 13:12:59| clientNegotiateSSL: Error negotiating SSL
> connection on FD 23: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
> alert bad certificate (1/0)
>
> Which certificate is bad?
> Any idea why dynamic generation is not working? Or why this bad
> certificate error?

For clientNegotiateSSL errors, this is probably the client rejecting the certificate supplied by Squid. Since you say that the ssl_crtd daemons do not appear to be creating SSL certificates, is /usr/local/squid-3.3/var/lib/ssl_db owned by the squid user, and does it have the index.txt, serial, and size files in it, and the certs subdirectory? Is there anything in the index.txt file? Is there anything in the size file?

Does the /home/talha/squid/www.sample.com.pem file contain a valid certificate and key?

Guy

--------
This message has been scanned by ComplianceSafe, powered by Palisade's PacketSure.
Received on Thu Apr 26 2012 - 20:26:42 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 27 2012 - 12:00:03 MDT