Le Jeudi 8 Janvier 2009 22:47:50, Alex Rousskov a écrit : > On Wed, 2009-01-07 at 10:30 -0800, David Molnar wrote: > > I am trying to run > > the DynamicSslCert branch squid and running into a problem. It looks > > like squid is somehow losing track of the hostname in the code that > > attempts to generate the SSL certificate on the fly. > > Thank you for trying the new code and providing detailed debugging info. > > Before we dive into dynamic certificate generation bugs, let's verify > that your setup works without dynamic certificate generation. Have you > tried running stock Squid 3.1 with SslBump enabled? Does it work? You > should be able to surf fine, but should get many certificate mismatch > warnings/errors. > > I believe the SslBump wiki page has the basic config sample. Please > confirm that stock SslBump works and we will go from there. > > Thank you, > > Alex. > > > I understand that this is experimental code and not guaranteed to work, > > but if anyone happens to have an idea, or sees something I've > > overlooked, I'd be grateful. Details follow. > > > > I started by setting up an http_port in my squid_conf like so: > > > > http_port 3128 sslBump generate-host-certificates=on > > ca-config=/usr/local/ssl/openssl.cnf > > > > My full squid.conf is at > > http://www.cs.berkeley.edu/~dmolnar/dyn-issue-squid.conf > > > > I then set up firefox to use 127.0.0.1:3128 as my proxy for http and > > https. I see http requests handled properly at this point. When I go to > > "https://www.bankofamerica.com"; in firefox, however, I see nothing. > > > > I checked my cache.log. This is an excerpt from my cache.log: > > 2009/01/05 22:32:21.661| httpRequestFree: www.bankofamerica.com:443 > > 2009/01/05 22:32:21.661| client_side.cc(3133) switchToHttps: converting > > FD 9 to SSL > > 2009/01/05 22:32:21.661| client_side.cc(3106) getSslContext: Generating > > SSL certificate for > > > > At this point it looks like "host" is set equal to "". > > Immediately after I see this: > > > > 2009/01/05 22:32:21.661| ssl_support.cc(1207) > > generateCaSignedSslCertificate: Generating CA-signed certificate for > > 2009/01/05 22:32:21.661| ssl_support.cc(1180) runSystemCommand: Running: > > openssl req -new -newkey rsa:1024 -nodes -days 500 -subj /C=EN/CN= -out > > server.csr -keyout server.key 2>/dev/null > > 2009/01/05 22:32:21.661| ssl_support.cc(1182) runSystemCommand: Command > > (openssl req -new -newkey rsa:1024 -nodes -days 500 -subj /C=EN/CN= -out > > server.csr -keyout server.key 2>/dev/null) failed > > 2009/01/05 22:32:21.708| ssl_support.cc(1193) > > generateSelfSignedSslCertificate: Generating self-signed certificate for > > 2009/01/05 22:32:21.708| ssl_support.cc(1180) runSystemCommand: Running: > > openssl req -new -newkey rsa:1024 -nodes -x509 -days 500 -subj /C=EN/CN= > > -out server.crt -keyout server.key 2>/dev/null > > 2009/01/05 22:32:21.708| ssl_support.cc(1182) runSystemCommand: Command > > (openssl req -new -newkey rsa:1024 -nodes -x509 -days 500 -subj > > /C=EN/CN= -out server.crt -keyout server.key 2>/dev/null) failed > > 2009/01/05 22:32:21.787| client_side.cc(3111) getSslContext: Failed to > > generate SSL cert for > > 2009/01/05 22:32:21.787| Closing SSL FD 9 as lacking SSL context > > > > Full log (warning: kind of long) at > > http://www.cs.berkeley.edu/~dmolnar/dyn-issue-cache.log > > > > I tried the openssl commands on the command line, and the failure comes > > because openssl complains about a CN of "". That then causes a non-zero > > return code, in turn causing getSslContext to report failure. > > > > Does anyone have a suggestion for what to try next? I also tried setting > > up an https_port with the same options as above, i.e. > > > > http_port 3129 sslBump generate-host-certificates=on > > ca-config=/usr/local/ssl/openssl.cnf > > > > Unfortunately this led to an error "failure to acquire certificate" on > > startup, and a note in the cache.log that port 3129 was disabled due to > > certificate error. Do I need to also add additional options of some kind? > > > > Thanks again for any help, > > -David Molnar I wonder to know if there is a tar.gz of that branch, i did try using from this page: https://code.launchpad.net/~rousskov/squid/DynamicSslCert by doing a bzr branch http://bazaar.launchpad.net/~rousskov/squid/DynamicSslCert then I run bootstrap.sh and configure script was created, but if a di a grep -r enable-ssl-crtd * to search about that option but I couldnt find anything, is there something i was missing or I have just tu compile to have generate-host-certificates=on dynamic_cert_mem_cache_size=4MB available TIA LD
