Hi,
I'm trying to get the ssl-bump & dynamic cert generation working for CONNECT requests. However, I get SSL cert warnings for each site. I tried to configure the "fake CA" cert itself (which is imported as trusted authority in the browser), but I'm getting "No valid signing SSL certificate configured for http_port" error.
I know I'm doing something wrong here (more likely related to certs), but would deeply appreciate your assistance.
a) Output of squid -v:
Squid Cache: Version 3.3.10
configure options: '--prefix=/usr/local' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm,' '--enable-digest-auth-helpers=ldap,password' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-arp-acl' '--enable-zph-qos' '--enable-wccpv2' '--disable-translation' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-ssl' '--enable-esi' '--enable-ssl-crtd'
SSL & ssl-crtd are enabled. The build is the recompile of the latest stable and running on Ubuntu 13.04
b) This is my squid.conf
root_at_ubuntu:~# less /usr/local/etc/squid.conf | egrep -v '^#' | egrep -v '^$'
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access allow all
http_port 4128 ssl-bump generate-host-certificates=on cert=/etc/ssl/demoCA/CA/cacert.pem key=/etc/ssl/demoCA/CA/cacert.key
ssl_bump server-first all
coredump_dir /usr/local/var/cache/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
c) This is the output of squid -k parse:
2013/12/05 10:46:32| Startup: Initializing Authentication Schemes ...
2013/12/05 10:46:32| Startup: Initialized Authentication Scheme 'basic'
2013/12/05 10:46:32| Startup: Initialized Authentication Scheme 'digest'
2013/12/05 10:46:32| Startup: Initialized Authentication Scheme 'negotiate'
2013/12/05 10:46:32| Startup: Initialized Authentication Scheme 'ntlm'
2013/12/05 10:46:32| Startup: Initialized Authentication.
2013/12/05 10:46:32| Processing Configuration File: /usr/local/etc/squid.conf (depth 0)
2013/12/05 10:46:32| Processing: acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
2013/12/05 10:46:32| Processing: acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
2013/12/05 10:46:32| Processing: acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
2013/12/05 10:46:32| Processing: acl localnet src fc00::/7 # RFC 4193 local private network range
2013/12/05 10:46:32| Processing: acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
2013/12/05 10:46:32| Processing: acl SSL_ports port 443
2013/12/05 10:46:32| Processing: acl Safe_ports port 80 # http
2013/12/05 10:46:32| Processing: acl Safe_ports port 21 # ftp
2013/12/05 10:46:32| Processing: acl Safe_ports port 443 # https
2013/12/05 10:46:32| Processing: acl Safe_ports port 70 # gopher
2013/12/05 10:46:32| Processing: acl Safe_ports port 210 # wais
2013/12/05 10:46:32| Processing: acl Safe_ports port 1025-65535 # unregistered ports
2013/12/05 10:46:32| Processing: acl Safe_ports port 280 # http-mgmt
2013/12/05 10:46:32| Processing: acl Safe_ports port 488 # gss-http
2013/12/05 10:46:32| Processing: acl Safe_ports port 591 # filemaker
2013/12/05 10:46:32| Processing: acl Safe_ports port 777 # multiling http
2013/12/05 10:46:32| Processing: acl CONNECT method CONNECT
2013/12/05 10:46:32| Processing: http_access deny !Safe_ports
2013/12/05 10:46:32| Processing: http_access deny CONNECT !SSL_ports
2013/12/05 10:46:32| Processing: http_access allow localhost manager
2013/12/05 10:46:32| Processing: http_access deny manager
2013/12/05 10:46:32| Processing: http_access allow localnet
2013/12/05 10:46:32| Processing: http_access allow localhost
2013/12/05 10:46:32| Processing: http_access allow all
2013/12/05 10:46:32| Processing: http_port 4128 ssl-bump generate-host-certificates=on cert=/etc/ssl/demoCA/CA/cacert.pem key=/etc/ssl/demoCA/CA/cacert.key
2013/12/05 10:46:32| Processing: ssl_bump server-first all
2013/12/05 10:46:32| Processing: coredump_dir /usr/local/var/cache/squid
2013/12/05 10:46:32| Processing: refresh_pattern ^ftp: 1440 20% 10080
2013/12/05 10:46:32| Processing: refresh_pattern ^gopher: 1440 0% 1440
2013/12/05 10:46:32| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
2013/12/05 10:46:32| Processing: refresh_pattern . 0 20% 4320
2013/12/05 10:46:32| Initializing https proxy context
2013/12/05 10:46:32| Initializing http_port [::]:4128 SSL context
2013/12/05 10:46:32| Using certificate in /etc/ssl/demoCA/CA/cacert.pem
2013/12/05 10:46:32| storeDirWriteCleanLogs: Starting...
2013/12/05 10:46:32| Finished. Wrote 0 entries.
2013/12/05 10:46:32| Took 0.00 seconds ( 0.00 entries/sec).
FATAL: No valid signing SSL certificate configured for http_port [::]:4128
Squid Cache (Version 3.3.10): Terminated abnormally.
CPU Usage: 0.008 seconds = 0.008 user + 0.000 sys
Maximum Resident Size: 25808 KB
Page faults with physical i/o: 0
d) If I change the certificate to an certificate signed by this CA, then it works (the common Name in the certificate is replaced) but i've to add exception for each site.
Thanks,
Sridhar
Received on Thu Dec 05 2013 - 05:26:02 MST
This archive was generated by hypermail 2.2.0 : Mon Dec 09 2013 - 12:00:05 MST