Search squid archive

RE: Using trusted fake CA cert for ssl-bump on http_port

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Does the certificate match the key? Is there a passphrase for the key? If
yes, please remove the passphrase. Are you able to get it working with
generate-host-certificates=off ?

Regards,
Shinoj.

> -----Original Message-----
> From: Sridhar N [mailto:sridhar.narasimhan@xxxxxxxx]
> Sent: Monday, December 09, 2013 6:20 PM
> To: squid-users@xxxxxxxxxxxxxxx
> Subject: RE:  Using trusted fake CA cert for ssl-bump on
> http_port
>
> ----------------------------------------
> > From: sgangadharan@xxxxxxxxxxxx
> > Date: Mon, 9 Dec 2013 11:55:42 +0530
> >
> > Hi Sridhar,
> >
> > I don’t see the following in your config file :
> >
> > sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
> > sslcrtd_children 50
> >
> > always_direct allow all
> >
> >
> > /var/lib/ssl_db should be owned by squid. This is where the generated
> > certificates will be stored. This folder is created by using the
command :
> >
> > ssl_crtd -c -s /var/lib/ssl_db
> >
>
> Thanks. I added those lines, still getting the same problem though.
>
> What else might be going on ?
>
> root@ubuntu:~# squid -k parse
> 2013/12/09 18:17:57| Startup: Initializing Authentication Schemes ...
> 2013/12/09 18:17:57| Startup: Initialized Authentication Scheme 'basic'
> 2013/12/09 18:17:57| Startup: Initialized Authentication Scheme 'digest'
> 2013/12/09 18:17:57| Startup: Initialized Authentication Scheme
'negotiate'
> 2013/12/09 18:17:57| Startup: Initialized Authentication Scheme 'ntlm'
> 2013/12/09 18:17:57| Startup: Initialized Authentication.
> 2013/12/09 18:17:57| Processing Configuration File:
/usr/local/etc/squid.conf
> (depth 0)
> 2013/12/09 18:17:57| Processing: acl localnet src 10.0.0.0/8	# RFC1918
> possible internal network
> 2013/12/09 18:17:57| Processing: acl localnet src 172.16.0.0/12	#
RFC1918
> possible internal network
> 2013/12/09 18:17:57| Processing: acl localnet src 192.168.0.0/16	#
RFC1918
> possible internal network
> 2013/12/09 18:17:57| Processing: acl localnet src fc00::/7       # RFC
4193 local
> private network range
> 2013/12/09 18:17:57| Processing: acl localnet src fe80::/10      # RFC
4291 link-
> local (directly plugged) machines
> 2013/12/09 18:17:57| Processing: acl SSL_ports port 443
> 2013/12/09 18:17:57| Processing: acl Safe_ports port 80		#
http
> 2013/12/09 18:17:57| Processing: acl Safe_ports port 21		#
ftp
> 2013/12/09 18:17:57| Processing: acl Safe_ports port 443		#
> https
> 2013/12/09 18:17:57| Processing: acl Safe_ports port 70		#
> gopher
> 2013/12/09 18:17:57| Processing: acl Safe_ports port 210		#
wais
> 2013/12/09 18:17:57| Processing: acl Safe_ports port 1025-65535	#
> unregistered ports
> 2013/12/09 18:17:57| Processing: acl Safe_ports port 280		#
> http-mgmt
> 2013/12/09 18:17:57| Processing: acl Safe_ports port 488		#
gss-
> http
> 2013/12/09 18:17:57| Processing: acl Safe_ports port 591		#
> filemaker
> 2013/12/09 18:17:57| Processing: acl Safe_ports port 777		#
> multiling http
> 2013/12/09 18:17:57| Processing: acl CONNECT method CONNECT
> 2013/12/09 18:17:57| Processing: http_access deny !Safe_ports
> 2013/12/09 18:17:57| Processing: http_access allow localhost manager
> 2013/12/09 18:17:57| Processing: http_access deny manager
> 2013/12/09 18:17:57| Processing: http_access allow localnet
> 2013/12/09 18:17:57| Processing: http_access allow localhost
> 2013/12/09 18:17:57| Processing: http_access allow all
> 2013/12/09 18:17:57| Processing: http_port 4128 ssl-bump  generate-host-
> certificates=on  cert=/etc/ssl/demoCA/CA/cacert.pem
> key=/etc/ssl/demoCA/CA/cacert.key
> 2013/12/09 18:17:57| Processing: ssl_bump server-first all
> 2013/12/09 18:17:57| Processing: sslcrtd_program
/usr/local/libexec/ssl_crtd
> -s /usr/local/var/lib/ssl_db
> 2013/12/09 18:17:57| Processing: sslcrtd_children 5
> 2013/12/09 18:17:57| Processing: always_direct allow all
> 2013/12/09 18:17:57| Processing: coredump_dir /usr/local/var/cache/squid
> 2013/12/09 18:17:57| Processing: refresh_pattern ^ftp:
1440
> 	20%	10080
> 2013/12/09 18:17:57| Processing: refresh_pattern ^gopher:	1440	0%
> 	1440
> 2013/12/09 18:17:57| Processing: refresh_pattern -i (/cgi-bin/|\?) 0	0%
> 	0
> 2013/12/09 18:17:57| Processing: refresh_pattern .		0
20%
> 	4320
> 2013/12/09 18:17:57| Initializing https proxy context
> 2013/12/09 18:17:57| Initializing http_port [::]:4128 SSL context
> 2013/12/09 18:17:57| Using certificate in /etc/ssl/demoCA/CA/cacert.pem
> 2013/12/09 18:17:57| storeDirWriteCleanLogs: Starting...
> 2013/12/09 18:17:57|   Finished.  Wrote 0 entries.
> 2013/12/09 18:17:57|   Took 0.00 seconds (  0.00 entries/sec).
> FATAL: No valid signing SSL certificate configured for http_port
[::]:4128 Squid
> Cache (Version 3.3.10): Terminated abnormally.
> CPU Usage: 0.008 seconds = 0.008 user + 0.000 sys Maximum Resident Size:
> 25808 KB
> Page faults with physical i/o: 0





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux