Search squid archive

Re: ssl proxy error: No valid signing SSL certificate configured for https_port [::]:3127

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 2/16/2015 5:45 PM, Amos Jeffries wrote:
Notice how the port details have changed from IPv4-only to IPv6-only. You are using a split-stack OS where each of the IPv4 and IPv6 ports needs separate TLS/SSL context. You can set the same settings and load the same cert file, just have to place the config separately in squid.conf for now: https_port 0.0.0.0:3127 intercept ssl-bump \ generate-host-certificates=on \ dynamic_cert_mem_cache_size=16MB \ cert=/etc/squid/ssl_cert/server1.crt https_port [::]:3127 intercept ssl-bump \ generate-host-certificates=on \ dynamic_cert_mem_cache_size=16MB \ cert=/etc/squid/ssl_cert/server1.crt Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
openssl req -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509 -keyout myCA.pem -out myCA.pem 

tail -20 squid.conf
http_port 3128 transparent
#
#       transparent SSL proxy setup
#
https_port 0.0.0.0:3127 intercept ssl-bump \
  generate-host-certificates=on \
  dynamic_cert_mem_cache_size=16MB \
  cert=/etc/squid/ssl_cert/JaroszCA.pem

https_port [::]:3127 intercept ssl-bump \
  generate-host-certificates=on \
  dynamic_cert_mem_cache_size=16MB \
  cert=/etc/squid/ssl_cert/JaroszCA.pem

#
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /data/squid/ssl_db -M 16MB 
sslcrtd_children 10
always_direct allow all
sslproxy_cert_error allow all
ssl_bump server-first all

/etc/squid: squid -z
FATAL: No valid signing SSL certificate configured for https_port 0.0.0.0:3127 
Squid Cache (Version 3.4.11): Terminated abnormally.
CPU Usage: 0.080 seconds = 0.070 user + 0.010 sys
Maximum Resident Size: 6764 KB
Page faults with physical i/o: 0

BUT:

tail -20 squid.conf
http_port 3128 transparent
#
#       transparent SSL proxy setup
#
https_port 127.0.0.1:3127 intercept ssl-bump \
  generate-host-certificates=on \
  dynamic_cert_mem_cache_size=16MB \
  cert=/etc/squid/ssl_cert/JaroszCA.pem

https_port [::1]:3127 intercept ssl-bump \
  generate-host-certificates=on \
  dynamic_cert_mem_cache_size=16MB \
  cert=/etc/squid/ssl_cert/JaroszCA.pem

/etc/squid: squid -z
/etc/squid: 2015/02/17 07:47:03 kid1| Set Current Directory
to /var/squid/cache
2015/02/17 07:47:03 kid1| Creating missing swap directories
...
Its not just specifying separate lines for the split stack, using the non-specific addresses 0.0.0.0 and [::] fails. I had to put a real ip address, in this case loopback, but using another real interface on my machine also worked. 

Bug/'Feature' in OpenBSD 5.6 implementation or all split stack OSs?

Thanks muchly for the help.

Alan


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux