Yuri, We’re trying that : - Tproxy - ssl_bump bump all does not work. We have followed the squid wiki regarding iptables rules, sysctl, etc… Instead “ssl_bump bump all”, if we use “ssl_bump server-first all” , it works, the https is decrypted. So is the tproxy compatible with the new squid 3.5.x ssl_bump options ? Bye Fred De : Yuri Voinov [via Squid Web Proxy Cache] [mailto:ml-node+s1019090n4670662h55@xxxxxxxxxxxxx] Envoyé : jeudi 9 avril 2015 15:03 À : Stakres Objet : Re: ***SPAM*** Re: Random SSL bump DB corruption -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I think,first you can try new stage-based SSL bump with 3.5.x. To do that you must identify problem sites. If there is no results, you can simple bypass problem sites without bump. Whole server-first bump, on Squid 3.5.x especially, is not so good idea, I think. Especially on provider-level proxies. 09.04.15 19:09, Vdoctor пишет: > Yuri, > > > > So what’s next ? > > Do you mean we must “do-not-ssl-bump” wrong certificats ? > > And if a certificate not yet identified is requested by an user it’ll crash the Squid ? > > > > Any idea how to fix that issue ? > > > > Thanks in advance. > > Bye Fred > > > > De : Yuri Voinov [[hidden email]] > Envoyé : jeudi 9 avril 2015 15:04 > À : Vdoctor; [hidden email] > Objet : Re: ***SPAM*** Re: Random SSL bump DB corruption > > > > > - From my experience, it may occur as a result of forming the fake certificate zero length (in the case of the SQUID can not complete its formation for any reason). > > In turn, the formation of such a certificate occurs in particular due to any error in the code of the SQUID characteristics or if server certificate. In particular, one of these servers is iTunes. > > 09.04.15 19:00, Vdoctor пишет: > > Yury, > > > > > > > > > I checked the source code (3.4/3.5) ssl_crtd, the default > > size is 2048. > > > > > -b fs_block_size File system block size in bytes. > > Need for processing > > > > > natural size of certificate on disk. > > Default value is > > > > > 2048 bytes." > > > > > > > > > /** > > > > > \ingroup ssl_crtd > > > > > * This is the external ssl_crtd process. > > > > > */ > > > > > int main(int argc, char *argv[]) > > > > > { > > > > > try { > > > > > size_t max_db_size = 0; > > > > > size_t fs_block_size = 2048; > > > > > > > > > > > > > But the crazy thing is the index.txt (last line) is wrong, > > not complete. It seems the tool writes/saves wrong data that's why > > it becomes corrupted and crash the Squid. > > > > > > > > > We have tried with a single ssl_crtd in the squid.conf, then > > one per worker, the same corruption. > > > > > > > > > Bye Fred > > > > > > > > > -----Message d'origine----- > > > > > De : squid-users > > [[hidden email]] De la part de > > Yuri Voinov > > > > > Envoyé : jeudi 9 avril 2015 14:52 > > > > > À : [hidden email] > > > > > Objet : ***SPAM*** Re: Random SSL bump DB > > corruption > > > > > > > > > > > > > Don't think this is critical. What is native fs block size? > > > > > > > > > 09.04.15 13:29, Stakres пишет: > > > > > > Hi Yuri, > > > > > > > > > > We have checked the sslproxy_capath, all certifs > > updated. > > > > > > OpenSSL is: OpenSSL 1.0.1e 11 Feb 2013 (Debian 7.8) > > > > > > > > > > Additional point, the auto-signed certif is a 1024, > > could it be the > > > > > problem > > > > > > ? > > > > > > Maybe we need to use the ssl_crtd with the option "-b > > 1024" > > > > > > what do you think ? > > > > > > > > > > example of corrupted db: > > > > > > *V 250402155004Z > > 7307E4A4E7FC6483C2B1D533821A7D2356DF1B88 > > > > > unknown > > > > > > > > /CN=r2---sn-q4f7sn7z.googlevideo.com+Sign=signTrusted+SignHash=SHA256 > > > > > > V 250402155004Z > > 2D1FC87E26AC4D8AB1E6F3B45E2C69EB36C7F8D3 > > > > > unknown > > > > > > /CN=seal.verisign.com+Sign=signTrusted+SignHash=SHA256 > > > > > > 6 > > > > > > * > > > > > > > > > > the squid crash when the index.txt becomes wrong... > > weird... > > > > > > > > > > Bye Fred > > > > > > > > > > > > > > > > > > -- > > > > > > View this message in context: > > > > > > http://squid-web-proxy-cache.1019090.n4.nabble.com/Random-SSL-bump-DB-corruption-tp4670289p4670656.html > > > > > > Sent from the Squid - Users mailing list archive at > > Nabble.com. > > > > > > _______________________________________________ > > > > > > squid-users mailing list > > > > > > [hidden email] > > > > > > http://lists.squid-cache.org/listinfo/squid-users > > > > > > > > > > > > > _______________________________________________ > > > > > squid-users mailing list > > > > > [hidden email] > > > > > http://lists.squid-cache.org/listinfo/squid-users > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJVJntGAAoJENNXIZxhPexGu5cIAK17uOKYtdAvuZsGUFEd43pS eSpzm5mjO9HqIejFis55Ahz5xSHiZLBb++yb/+oV5I/m0CoEOO7Y17qtWAjO56Ni D/QRCmdCudrb4uoXWu0AY/+qwECJmAAsAYkigepVS+6u/kw2R1aU1oXt816EgFhq XLyh3/92OvArDbn7HxAAMZRQ5Wqdgc7pdI8Bah6iElMHQrcd5FEuK/yyfoxUTdWf F4HQa0EFC4Z3xY1AYfTskTcuVIEyZt9N9s5na/b9TcxktxzbPnTon2yg6CtohAqM v2u28VIpToDETq8N8qv7DxQtbGz9cXuGsBj6HDYIUZB8NzEA5ETc+BOzG+DxOPQ= =rC2l -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list [hidden email] http://lists.squid-cache.org/listinfo/squid-users _____ If you reply to this email, your message will be added to the discussion below: http://squid-web-proxy-cache.1019090.n4.nabble.com/Random-SSL-bump-DB-corruption-tp4670289p4670662.html To start a new topic under Squid - Users, email ml-node+s1019090n1019091h54@xxxxxxxxxxxxx To unsubscribe from Squid Web Proxy Cache, click here <http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=1019090&code=dmRvY3RvckBuZXVmLmZyfDEwMTkwOTB8OTE5NjEzNjUz> . <http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> NAML -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Random-SSL-bump-DB-corruption-tp4670289p4670663.html Sent from the Squid - Users mailing list archive at Nabble.com. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
