[squid-users] Using trusted fake CA cert for ssl-bump on http_port

From: Sridhar N <sridhar.narasimhan_at_live.com>
Date: Thu, 5 Dec 2013 10:55:55 +0530

Hi, I'm trying to get the ssl-bump & dynamic cert generation working for CONNECT requests. However, I get SSL cert warnings for each site. I tried to configure the "fake CA" cert itself (which is imported as trusted authority in the browser), but I'm getting "No valid signing SSL certificate configured for http_port" error.  I know I'm doing something wrong here (more likely related to certs), but would deeply appreciate your assistance.  a) Output of squid -v: Squid Cache: Version 3.3.10 configure options:  '--prefix=/usr/local' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm,' '--enable-digest-auth-helpers=ldap,password' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-arp-acl' '--enable-zph-qos' '--enable-wccpv2' '--disable-translation' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-ssl' '--enable-esi' '--enable-ssl-crtd' SSL & ssl-crtd are enabled. The build is the recompile of the latest stable and running on Ubuntu 13.04 b) This is my squid.conf root_at_ubuntu:~# less /usr/local/etc/squid.conf | egrep -v '^#' | egrep -v '^$' acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7       # RFC 4193 local private network range acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access allow all http_port 4128 ssl-bump  generate-host-certificates=on  cert=/etc/ssl/demoCA/CA/cacert.pem key=/etc/ssl/demoCA/CA/cacert.key ssl_bump server-first all coredump_dir /usr/local/var/cache/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 c) This is the output of squid -k parse: 2013/12/05 10:46:32| Startup: Initializing Authentication Schemes ... 2013/12/05 10:46:32| Startup: Initialized Authentication Scheme 'basic' 2013/12/05 10:46:32| Startup: Initialized Authentication Scheme 'digest' 2013/12/05 10:46:32| Startup: Initialized Authentication Scheme 'negotiate' 2013/12/05 10:46:32| Startup: Initialized Authentication Scheme 'ntlm' 2013/12/05 10:46:32| Startup: Initialized Authentication. 2013/12/05 10:46:32| Processing Configuration File: /usr/local/etc/squid.conf (depth 0) 2013/12/05 10:46:32| Processing: acl localnet src 10.0.0.0/8 # RFC1918 possible internal network 2013/12/05 10:46:32| Processing: acl localnet src 172.16.0.0/12 # RFC1918 possible internal network 2013/12/05 10:46:32| Processing: acl localnet src 192.168.0.0/16 # RFC1918 possible internal network 2013/12/05 10:46:32| Processing: acl localnet src fc00::/7       # RFC 4193 local private network range 2013/12/05 10:46:32| Processing: acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines 2013/12/05 10:46:32| Processing: acl SSL_ports port 443 2013/12/05 10:46:32| Processing: acl Safe_ports port 80 # http 2013/12/05 10:46:32| Processing: acl Safe_ports port 21 # ftp 2013/12/05 10:46:32| Processing: acl Safe_ports port 443 # https 2013/12/05 10:46:32| Processing: acl Safe_ports port 70 # gopher 2013/12/05 10:46:32| Processing: acl Safe_ports port 210 # wais 2013/12/05 10:46:32| Processing: acl Safe_ports port 1025-65535 # unregistered ports 2013/12/05 10:46:32| Processing: acl Safe_ports port 280 # http-mgmt 2013/12/05 10:46:32| Processing: acl Safe_ports port 488 # gss-http 2013/12/05 10:46:32| Processing: acl Safe_ports port 591 # filemaker 2013/12/05 10:46:32| Processing: acl Safe_ports port 777 # multiling http 2013/12/05 10:46:32| Processing: acl CONNECT method CONNECT 2013/12/05 10:46:32| Processing: http_access deny !Safe_ports 2013/12/05 10:46:32| Processing: http_access deny CONNECT !SSL_ports 2013/12/05 10:46:32| Processing: http_access allow localhost manager 2013/12/05 10:46:32| Processing: http_access deny manager 2013/12/05 10:46:32| Processing: http_access allow localnet 2013/12/05 10:46:32| Processing: http_access allow localhost 2013/12/05 10:46:32| Processing: http_access allow all 2013/12/05 10:46:32| Processing: http_port 4128 ssl-bump  generate-host-certificates=on  cert=/etc/ssl/demoCA/CA/cacert.pem key=/etc/ssl/demoCA/CA/cacert.key 2013/12/05 10:46:32| Processing: ssl_bump server-first all 2013/12/05 10:46:32| Processing: coredump_dir /usr/local/var/cache/squid 2013/12/05 10:46:32| Processing: refresh_pattern ^ftp: 1440 20% 10080 2013/12/05 10:46:32| Processing: refresh_pattern ^gopher: 1440 0% 1440 2013/12/05 10:46:32| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 2013/12/05 10:46:32| Processing: refresh_pattern . 0 20% 4320 2013/12/05 10:46:32| Initializing https proxy context 2013/12/05 10:46:32| Initializing http_port [::]:4128 SSL context 2013/12/05 10:46:32| Using certificate in /etc/ssl/demoCA/CA/cacert.pem 2013/12/05 10:46:32| storeDirWriteCleanLogs: Starting... 2013/12/05 10:46:32|   Finished.  Wrote 0 entries. 2013/12/05 10:46:32|   Took 0.00 seconds (  0.00 entries/sec). FATAL: No valid signing SSL certificate configured for http_port [::]:4128 Squid Cache (Version 3.3.10): Terminated abnormally. CPU Usage: 0.008 seconds = 0.008 user + 0.000 sys Maximum Resident Size: 25808 KB Page faults with physical i/o: 0 d) If I change the certificate to an certificate signed by this CA, then it works (the common Name in the certificate is replaced) but i've to add exception for each site. Thanks, Sridhar
Received on Thu Dec 05 2013 - 05:26:02 MST

This archive was generated by hypermail 2.2.0 : Mon Dec 09 2013 - 12:00:05 MST