Search squid archive

Re: ***SPAM*** Re: Random SSL bump DB corruption

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Yuri,

 

We’re trying that :

-          Tproxy

-          ssl_bump bump all

does not work.

 

We have followed the squid wiki regarding iptables rules, sysctl, etc…

Instead “ssl_bump bump all”, if we use “ssl_bump server-first all” , it works, the https is decrypted.

 

So is the tproxy compatible with the new squid 3.5.x ssl_bump options ?

 

Bye Fred

 

De : Yuri Voinov [via Squid Web Proxy Cache] [mailto:ml-node+s1019090n4670662h55@xxxxxxxxxxxxx] 
Envoyé : jeudi 9 avril 2015 15:03
À : Stakres
Objet : Re: ***SPAM*** Re: Random SSL bump DB corruption

 


-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA256 
 
I think,first  you can try new stage-based SSL bump with 3.5.x. To do that you must identify problem sites.

If there is no results, you can simple bypass problem sites without bump.

Whole server-first bump, on Squid 3.5.x especially, is not so good idea, I think. Especially on provider-level proxies.

09.04.15 19:09, Vdoctor пишет:
> Yuri,



      >



      >  



      >



      > So what’s next ?



      >



      > Do you mean we must “do-not-ssl-bump” wrong certificats ?



      >



      > And if a certificate not yet identified is requested by an

      user it’ll crash the Squid ?



      >



      >  



      >



      > Any idea how to fix that issue ?



      >



      >  



      >



      > Thanks in advance.



      >



      > Bye Fred



      >



      >  



      >



      > De : Yuri Voinov [[hidden email]] 



      > Envoyé : jeudi 9 avril 2015 15:04



      > À : Vdoctor; [hidden email]



      > Objet : Re: ***SPAM*** Re:  Random SSL bump DB

      corruption



      >



      >  



      >



      >



      > - From my experience, it may occur as a result of forming the

      fake certificate zero length (in the case of the SQUID can not

      complete its formation for any reason).



      >



      > In turn, the formation of such a certificate occurs in

      particular due to any error in the code of the SQUID

      characteristics or if server certificate. In particular, one of

      these servers is iTunes.



      >



      > 09.04.15 19:00, Vdoctor пишет:



      > > Yury,



      >



      >



      >



      >



      >



      >



      >



      >       > I checked the source code (3.4/3.5) ssl_crtd, the

      default



      >



      >       size is 2048.



      >



      >



      >



      >       >     -b fs_block_size     File system block size in

      bytes.



      >



      >       Need for processing



      >



      >



      >



      >       >                          natural size of

      certificate on disk.



      >



      >       Default value is



      >



      >



      >



      >       >                          2048 bytes."



      >



      >



      >



      >



      >



      >



      >



      >       > /**



      >



      >



      >



      >       >  \ingroup ssl_crtd



      >



      >



      >



      >       >  * This is the external ssl_crtd process.



      >



      >



      >



      >       >  */



      >



      >



      >



      >       > int main(int argc, char *argv[])



      >



      >



      >



      >       > {



      >



      >



      >



      >       >     try {



      >



      >



      >



      >       >         size_t max_db_size = 0;



      >



      >



      >



      >       >         size_t fs_block_size = 2048;



      >



      >



      >



      >



      >



      >



      >



      >



      >



      >



      >



      >       > But the crazy thing is the index.txt (last line)

      is wrong,



      >



      >       not complete. It seems the tool writes/saves wrong data

      that's why



      >



      >       it becomes corrupted and crash the Squid.



      >



      >



      >



      >



      >



      >



      >



      >       > We have tried with a single ssl_crtd in the

      squid.conf, then



      >



      >       one per worker, the same corruption.



      >



      >



      >



      >



      >



      >



      >



      >       > Bye Fred



      >



      >



      >



      >



      >



      >



      >



      >       > -----Message d'origine-----



      >



      >



      >



      >       > De : squid-users



      >



      >       [[hidden email]] De

      la part de



      >



      >       Yuri Voinov



      >



      >



      >



      >       > Envoyé : jeudi 9 avril 2015 14:52



      >



      >



      >



      >       > À : [hidden email]



      >



      >



      >



      >       > Objet : ***SPAM*** Re:  Random SSL

      bump DB



      >



      >       corruption



      >



      >



      >



      >



      >



      >



      >



      >



      >



      >



      >



      >       > Don't think this is critical. What is native fs

      block size?



      >



      >



      >



      >



      >



      >



      >



      >       > 09.04.15 13:29, Stakres пишет:



      >



      >



      >



      >       > > Hi Yuri,



      >



      >



      >



      >



      >



      >



      >



      >       > > We have checked the sslproxy_capath, all

      certifs



      >



      >       updated.



      >



      >



      >



      >       > > OpenSSL is: OpenSSL 1.0.1e 11 Feb 2013

      (Debian 7.8)



      >



      >



      >



      >



      >



      >



      >



      >       > > Additional point, the auto-signed certif is a

      1024,



      >



      >       could it be the



      >



      >



      >



      >       > problem



      >



      >



      >



      >       > > ?



      >



      >



      >



      >       > > Maybe we need to use the ssl_crtd with the

      option "-b



      >



      >       1024"



      >



      >



      >



      >       > > what do you think ?



      >



      >



      >



      >



      >



      >



      >



      >       > > example of corrupted db:



      >



      >



      >



      >       > > *V    250402155004Z       



      >



      >       7307E4A4E7FC6483C2B1D533821A7D2356DF1B88   



      >



      >



      >



      >       > unknown



      >



      >



      >



      >       > >



      >



      >      

      /CN=r2---sn-q4f7sn7z.googlevideo.com+Sign=signTrusted+SignHash=SHA256



      >



      >



      >



      >       > > V    250402155004Z       



      >



      >       2D1FC87E26AC4D8AB1E6F3B45E2C69EB36C7F8D3   



      >



      >



      >



      >       > unknown



      >



      >



      >



      >       > >

      /CN=seal.verisign.com+Sign=signTrusted+SignHash=SHA256



      >



      >



      >



      >       > > 6



      >



      >



      >



      >       > > *



      >



      >



      >



      >



      >



      >



      >



      >       > > the squid crash when the index.txt becomes

      wrong...



      >



      >       weird...



      >



      >



      >



      >



      >



      >



      >



      >       > > Bye Fred



      >



      >



      >



      >



      >



      >



      >



      >



      >



      >



      >



      >



      >



      >



      >



      >       > > --



      >



      >



      >



      >       > > View this message in context:



      >



      >



      >



      >



      >



      >

http://squid-web-proxy-cache.1019090.n4.nabble.com/Random-SSL-bump-DB-corruption-tp4670289p4670656.html



      >



      >



      >



      >       > > Sent from the Squid - Users mailing list

      archive at



      >



      >       Nabble.com.



      >



      >



      >



      >       > >

      _______________________________________________



      >



      >



      >



      >       > > squid-users mailing list



      >



      >



      >



      >       > > [hidden email]



      >



      >



      >



      >       > >

      http://lists.squid-cache.org/listinfo/squid-users



      >



      >



      >



      >



      >



      >



      >



      >



      >



      >



      >



      >       > _______________________________________________



      >



      >



      >



      >       > squid-users mailing list



      >



      >



      >



      >       > [hidden email]



      >



      >



      >



      >       > http://lists.squid-cache.org/listinfo/squid-users



      >



      >



      >

-----BEGIN PGP SIGNATURE----- 
Version: GnuPG v2 
 
iQEcBAEBCAAGBQJVJntGAAoJENNXIZxhPexGu5cIAK17uOKYtdAvuZsGUFEd43pS 
eSpzm5mjO9HqIejFis55Ahz5xSHiZLBb++yb/+oV5I/m0CoEOO7Y17qtWAjO56Ni 
D/QRCmdCudrb4uoXWu0AY/+qwECJmAAsAYkigepVS+6u/kw2R1aU1oXt816EgFhq 
XLyh3/92OvArDbn7HxAAMZRQ5Wqdgc7pdI8Bah6iElMHQrcd5FEuK/yyfoxUTdWf 
F4HQa0EFC4Z3xY1AYfTskTcuVIEyZt9N9s5na/b9TcxktxzbPnTon2yg6CtohAqM 
v2u28VIpToDETq8N8qv7DxQtbGz9cXuGsBj6HDYIUZB8NzEA5ETc+BOzG+DxOPQ= 
=rC2l 
-----END PGP SIGNATURE----- 


_______________________________________________ 
squid-users mailing list 
[hidden email] 
http://lists.squid-cache.org/listinfo/squid-users



  _____  

If you reply to this email, your message will be added to the discussion below:

http://squid-web-proxy-cache.1019090.n4.nabble.com/Random-SSL-bump-DB-corruption-tp4670289p4670662.html 

To start a new topic under Squid - Users, email ml-node+s1019090n1019091h54@xxxxxxxxxxxxx 
To unsubscribe from Squid Web Proxy Cache, click here <http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=1019090&code=dmRvY3RvckBuZXVmLmZyfDEwMTkwOTB8OTE5NjEzNjUz> .
 <http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> NAML 





--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Random-SSL-bump-DB-corruption-tp4670289p4670663.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux