Yuri, So what’s next ? Do you mean we must “do-not-ssl-bump” wrong certificats ? And if a certificate not yet identified is requested by an user it’ll crash the Squid ? Any idea how to fix that issue ? Thanks in advance. Bye Fred De : Yuri Voinov [mailto:yvoinov@xxxxxxxxx]
> > I checked the source code (3.4/3.5) ssl_crtd, the default size is 2048. > -b fs_block_size File system block size in bytes. Need for processing > natural size of certificate on disk. Default value is > 2048 bytes." > > /** > \ingroup ssl_crtd > * This is the external ssl_crtd process. > */ > int main(int argc, char *argv[]) > { > try { > size_t max_db_size = 0; > size_t fs_block_size = 2048; > > > But the crazy thing is the index.txt (last line) is wrong, not complete. It seems the tool writes/saves wrong data that's why it becomes corrupted and crash the Squid. > > We have tried with a single ssl_crtd in the squid.conf, then one per worker, the same corruption. > > Bye Fred > > -----Message d'origine----- > De : squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] De la part de Yuri Voinov > Envoyé : jeudi 9 avril 2015 14:52 > À : squid-users@xxxxxxxxxxxxxxxxxxxxx > Objet : ***SPAM*** Re: Random SSL bump DB corruption > > > Don't think this is critical. What is native fs block size? > > 09.04.15 13:29, Stakres пишет: > > Hi Yuri, > > > We have checked the sslproxy_capath, all certifs updated. > > OpenSSL is: OpenSSL 1.0.1e 11 Feb 2013 (Debian 7.8) > > > Additional point, the auto-signed certif is a 1024, could it be the > problem > > ? > > Maybe we need to use the ssl_crtd with the option "-b 1024" > > what do you think ? > > > example of corrupted db: > > *V 250402155004Z 7307E4A4E7FC6483C2B1D533821A7D2356DF1B88 > unknown > > /CN=r2---sn-q4f7sn7z.googlevideo.com+Sign=signTrusted+SignHash=SHA256 > > V 250402155004Z 2D1FC87E26AC4D8AB1E6F3B45E2C69EB36C7F8D3 > unknown > > /CN=seal.verisign.com+Sign=signTrusted+SignHash=SHA256 > > 6 > > * > > > the squid crash when the index.txt becomes wrong... weird... > > > Bye Fred > > > > > -- > > View this message in context: > > > Sent from the Squid - Users mailing list archive at Nabble.com. > > _______________________________________________ > > squid-users mailing list > > squid-users@xxxxxxxxxxxxxxxxxxxxx > > http://lists.squid-cache.org/listinfo/squid-users > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
