On 17/02/2015 5:16 a.m., Alan Palmer wrote: > Tried the two links provided, still no luck. > > details: > squid -v > Squid Cache: Version 3.4.11 > configure options: '--disable-strict-error-checking' > '--disable-arch-native' '--enable-shared' > '--datadir=/usr/local/share/squid' > '--libexecdir=/usr/local/libexec/squid' '--disable-loadable-modules' > '--enable-arp-acl' '--enable-auth' '--enable-delay-pools' > '--enable-follow-x-forwarded-for' '--enable-forw-via-db' > '--enable-http-violations' '--enable-icap-client' '--enable-ipv6' > '--enable-referer-log' '--enable-removal-policies=lru heap' > '--enable-ssl' '--with-openssl' '--enable-storeio=aufs ufs diskd' > '--with-default-user=_squid' '--with-filedescriptors=8192' > '--with-krb5-config=no' '--with-pidfile=/var/run/squid.pid' > '--with-pthreads' '--with-swapdir=/var/squid/cache' > '--disable-pf-transparent' '--enable-ipfw-transparent' > '--enable-external-acl-helpers=LDAP_group SQL_session file_userip > time_quota session unix_group wbinfo_group LDAP_group > eDirectory_userip' '--prefix=/usr/local' '--sysconfdir=/etc/squid' > '--mandir=/usr/local/man' '--infodir=/usr/local/info' > '--localstatedir=/var/squid' '--disable-silent-rules' 'CC=cc' > 'CFLAGS=-O2 -pipe' 'LDFLAGS=-L/usr/local/lib' > 'CPPFLAGS=-I/usr/local/include' 'CXX=c++' 'CXXFLAGS=-O2 -pipe' > '--enable-ssl-crtd' --enable-ltdl-convenience > > tail -10 squid.conf > https_port 3127 intercept ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/server1.crt > sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s > /usr/local/squid/var/lib/ssl_db -M 16MB > sslcrtd_children 10 > ssl_bump server-first all > > cert generation > openssl genrsa -des3 -passout pass:x -out server.pass.key 2048 > openssl rsa -passin pass:x -in server.pass.key -out server.key > rm server.pass.key > openssl req -new -key server.key -out server.csr > openssl req -new -key server.key -out server.csr > openssl x509 -req -days 730 -in server.csr -signkey server.key > openssl x509 -req -days 730 -in server.csr -signkey server.key -out > server.crt > cat server.key server.crt > server1.crt > All of that process is what the "generate-host-certificates=on" does. The server1.crt file contains the output bytes Squid will be sending on-the-wire, not what the cert= input parameter needs. > squid -z > FATAL: No valid signing SSL certificate configured for https_port > 0.0.0.0:3127 Which is correct. The file "server1.crt" contains a server cert not a CA cert. > Squid Cache (Version 3.4.11): Terminated abnormally. > CPU Usage: 0.080 seconds = 0.060 user + 0.020 sys > Maximum Resident Size: 6752 KB > Page faults with physical i/o: 0 > > cert generation ala > http://wiki.squid-cache.org/EliezerCroitoru/Drafts/SSLBUMP (squid.conf > changed to cert=/etc/squid/ssl_cert/myCA.pem) > That is a draft, and a bit outdated. Use this instead: http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit > openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout > myCA.pem -out myCA.pem > > squid -z > FATAL: No valid signing SSL certificate configured for https_port [::]:3127 > Squid Cache (Version 3.4.11): Terminated abnormally. Notice how the port details have changed from IPv4-only to IPv6-only. You are using a split-stack OS where each of the IPv4 and IPv6 ports needs separate TLS/SSL context. You can set the same settings and load the same cert file, just have to place the config separately in squid.conf for now: https_port 0.0.0.0:3127 intercept ssl-bump \ generate-host-certificates=on \ dynamic_cert_mem_cache_size=16MB \ cert=/etc/squid/ssl_cert/server1.crt https_port [::]:3127 intercept ssl-bump \ generate-host-certificates=on \ dynamic_cert_mem_cache_size=16MB \ cert=/etc/squid/ssl_cert/server1.crt Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
