Hello Squid,
I am trying the sslBump and just following the doc, i tried to also some random tutorial on the web that mostly looks like copy pasta of the wiki. All i got is a FATAL. .. . .
2014/12/05 17:07:24.472| src/ssl/support.cc(1584) readSslX509CertificatesChain: Certificate is self-signed, will not
be chained
2014/12/05 17:07:24.500| src/ssl/support.cc(1446) contextMethod: Using SSLv2/SSLv3.
2014/12/05 17:07:24.500| src/ssl/support.cc(857) configureSslContext: Setting RSA key generation callback.
2014/12/05 17:07:24.500| src/ssl/support.cc(860) configureSslContext: Setting CA certificate locations.
2014/12/05 17:07:24.505| src/ssl/support.cc(903) configureSslContext: Not requiring any client certificates
2014/12/05 17:07:24.505| Initializing https_port 0.0.0.0:3129 SSL context
2014/12/05 17:07:24.505| src/tools.cc(564) leave_suid: leave_suid: PID 10872 called
2014/12/05 17:07:24.505| src/tools.cc(586) leave_suid: leave_suid: PID 10872 giving up root, becoming '_squid'
FATAL: No valid signing SSL certificate configured for HTTPS_port 0.0.0.0:3129
Squid Cache (Version 3.HEAD-20140626-r13480): Terminated abnormally.
my certificates are all right
2014/12/05 17:07:24.505| Initializing https_port 0.0.0.0:3129 SSL context
but sundenly they are i dont recheck or something ?
the only non logged code i see is this one :
if (!pkey || !cert || !X509_check_private_key(cert.get(), pkey.get())) {
pkey.reset(NULL);
cert.reset(NULL);
}
But i swear i follow the doc and create the certificate normally.
Is there a particular CN to use ?
Shall i emit a self signed root and then another certificate for the proxy ??? is this error not related at all ? with the certificate on the sslbump lines ?
Conf:
# Squid normally listens to port 3128
http_port 3128
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=2MB cert=/etc/squid/sq
uid-proxy.crt key=/etc/squid/squid-proxy.key
# dont forget ssl_crtd -c -s /var/db/squid/ssl when setup
always_direct allow all
ssl_bump client-first all
sslproxy_cert_error allow all
# Or may be deny all according to your company policy
# sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/local/bin/ssl_crtd -s /var/db/squid/ssl -M 2MB
sslcrtd_children 5
Info:
# ls /var/db/squid/ssl
certs index.txt size
---------------------------------------------------------------------------------------------------------------------
() ascii ribbon campaign - against html e-mail
/\
() ascii ribbon campaign - against html e-mail
/\
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
