Alex Rousskov wrote:
On Wed, 2009-01-07 at 10:30 -0800, David Molnar wrote:
I am trying to run
the DynamicSslCert branch squid and running into a problem. It looks
like squid is somehow losing track of the hostname in the code that
attempts to generate the SSL certificate on the fly.
Thank you for trying the new code and providing detailed debugging info.
Before we dive into dynamic certificate generation bugs, let's verify
that your setup works without dynamic certificate generation. Have you
tried running stock Squid 3.1 with SslBump enabled? Does it work? You
should be able to surf fine, but should get many certificate mismatch
warnings/errors.
I believe the SslBump wiki page has the basic config sample. Please
confirm that stock SslBump works and we will go from there.
Thank you,
Alex.
I understand that this is experimental code and not guaranteed to work,
but if anyone happens to have an idea, or sees something I've
overlooked, I'd be grateful. Details follow.
I started by setting up an http_port in my squid_conf like so:
http_port 3128 sslBump generate-host-certificates=on
ca-config=/usr/local/ssl/openssl.cnf
My full squid.conf is at
http://www.cs.berkeley.edu/~dmolnar/dyn-issue-squid.conf
I then set up firefox to use 127.0.0.1:3128 as my proxy for http and
https. I see http requests handled properly at this point. When I go to
"https://www.bankofamerica.com"; in firefox, however, I see nothing.
I checked my cache.log. This is an excerpt from my cache.log:
2009/01/05 22:32:21.661| httpRequestFree: www.bankofamerica.com:443
2009/01/05 22:32:21.661| client_side.cc(3133) switchToHttps: converting
FD 9 to SSL
2009/01/05 22:32:21.661| client_side.cc(3106) getSslContext: Generating
SSL certificate for
At this point it looks like "host" is set equal to "".
Immediately after I see this:
2009/01/05 22:32:21.661| ssl_support.cc(1207)
generateCaSignedSslCertificate: Generating CA-signed certificate for
2009/01/05 22:32:21.661| ssl_support.cc(1180) runSystemCommand: Running:
openssl req -new -newkey rsa:1024 -nodes -days 500 -subj /C=EN/CN= -out
server.csr -keyout server.key 2>/dev/null
2009/01/05 22:32:21.661| ssl_support.cc(1182) runSystemCommand: Command
(openssl req -new -newkey rsa:1024 -nodes -days 500 -subj /C=EN/CN= -out
server.csr -keyout server.key 2>/dev/null) failed
2009/01/05 22:32:21.708| ssl_support.cc(1193)
generateSelfSignedSslCertificate: Generating self-signed certificate for
2009/01/05 22:32:21.708| ssl_support.cc(1180) runSystemCommand: Running:
openssl req -new -newkey rsa:1024 -nodes -x509 -days 500 -subj /C=EN/CN=
-out server.crt -keyout server.key 2>/dev/null
2009/01/05 22:32:21.708| ssl_support.cc(1182) runSystemCommand: Command
(openssl req -new -newkey rsa:1024 -nodes -x509 -days 500 -subj
/C=EN/CN= -out server.crt -keyout server.key 2>/dev/null) failed
2009/01/05 22:32:21.787| client_side.cc(3111) getSslContext: Failed to
generate SSL cert for
2009/01/05 22:32:21.787| Closing SSL FD 9 as lacking SSL context
Full log (warning: kind of long) at
http://www.cs.berkeley.edu/~dmolnar/dyn-issue-cache.log
I tried the openssl commands on the command line, and the failure comes
because openssl complains about a CN of "". That then causes a non-zero
return code, in turn causing getSslContext to report failure.
Does anyone have a suggestion for what to try next? I also tried setting
up an https_port with the same options as above, i.e.
http_port 3129 sslBump generate-host-certificates=on
ca-config=/usr/local/ssl/openssl.cnf
Unfortunately this led to an error "failure to acquire certificate" on
startup, and a note in the cache.log that port 3129 was disabled due to
certificate error. Do I need to also add additional options of some kind?
Thanks again for any help,
-David Molnar
Sounds like this may be related to bug 2536 with basic HTTPS.
http://www.squid-cache.org/bugs/show_bug.cgi?id=2536
Amos
--
Please be using
Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
Current Beta Squid 3.1.0.3
