On 2/16/2015 5:45 PM, Amos Jeffries wrote:
Notice how the port details have changed from IPv4-only to IPv6-only.
You are using a split-stack OS where each of the IPv4 and IPv6 ports
needs separate TLS/SSL context. You can set the same settings and load
the same cert file, just have to place the config separately in
squid.conf for now: https_port 0.0.0.0:3127 intercept ssl-bump \
generate-host-certificates=on \ dynamic_cert_mem_cache_size=16MB \
cert=/etc/squid/ssl_cert/server1.crt https_port [::]:3127 intercept
ssl-bump \ generate-host-certificates=on \
dynamic_cert_mem_cache_size=16MB \
cert=/etc/squid/ssl_cert/server1.crt Amos
_______________________________________________ squid-users mailing
list squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
openssl req -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509
-keyout myCA.pem -out myCA.pem
tail -20 squid.conf
http_port 3128 transparent
#
# transparent SSL proxy setup
#
https_port 0.0.0.0:3127 intercept ssl-bump \
generate-host-certificates=on \
dynamic_cert_mem_cache_size=16MB \
cert=/etc/squid/ssl_cert/JaroszCA.pem
https_port [::]:3127 intercept ssl-bump \
generate-host-certificates=on \
dynamic_cert_mem_cache_size=16MB \
cert=/etc/squid/ssl_cert/JaroszCA.pem
#
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /data/squid/ssl_db
-M 16MB
sslcrtd_children 10
always_direct allow all
sslproxy_cert_error allow all
ssl_bump server-first all
/etc/squid: squid -z
FATAL: No valid signing SSL certificate configured for https_port
0.0.0.0:3127
Squid Cache (Version 3.4.11): Terminated abnormally.
CPU Usage: 0.080 seconds = 0.070 user + 0.010 sys
Maximum Resident Size: 6764 KB
Page faults with physical i/o: 0
BUT:
tail -20 squid.conf
http_port 3128 transparent
#
# transparent SSL proxy setup
#
https_port 127.0.0.1:3127 intercept ssl-bump \
generate-host-certificates=on \
dynamic_cert_mem_cache_size=16MB \
cert=/etc/squid/ssl_cert/JaroszCA.pem
https_port [::1]:3127 intercept ssl-bump \
generate-host-certificates=on \
dynamic_cert_mem_cache_size=16MB \
cert=/etc/squid/ssl_cert/JaroszCA.pem
/etc/squid: squid -z
/etc/squid: 2015/02/17 07:47:03 kid1| Set Current Directory
to /var/squid/cache
2015/02/17 07:47:03 kid1| Creating missing swap directories
...
Its not just specifying separate lines for the split stack, using the
non-specific addresses 0.0.0.0 and [::] fails. I had to put a real ip
address, in this case loopback, but using another real interface on my
machine also worked.
Bug/'Feature' in OpenBSD 5.6 implementation or all split stack OSs?
Thanks muchly for the help.
Alan
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users