Search squid archive

Re: ssl_crtd breaks after short time

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Amos,

I tried taking the config from James.. but I have the exact same issue as described below :(

After adding the extra logging from James config - I get this in access_log:
1433404085.331 0 10.47.171.244 TCP_DENIED/200 0 CONNECT 216.58.209.106:443 - HIER_NONE/- -

which makes it seem as if squid does NOT see the url I'm trying to access :(

Remember all this worked with 3.4.12 :(

My config as it is now:
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#only contains one ip range - which I'm not accessing
#I don't quite understand what the purpose of this "broken" thing
# is and what it does :(
acl broken dst "/etc/squid/broken.txt"
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump peek step1 broken
ssl_bump peek step2 broken
ssl_bump splice broken
ssl_bump peek step1 all
ssl_bump peek step2 all
ssl_bump bump all

sslproxy_capath /etc/ssl/certs
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# user-defined ACLs
acl okweb-urls url_regex ^http://www.youtube.com/ ^http://vimeo.com/api/oembed.json$ ^https://www.google.com/accounts/ClientLogin$ ^https://www.googleapis.com/analytics/
acl testurls url_regex ^http://www.dr.dk/$ ^https://www.google.dk/$
acl testbox src 10.xx.138.168
acl testsrv1 src 10.xx.130.50

http_access allow testurls testbox
http_access allow testurls testsrv1
http_access allow okweb-urls testsrv1
http_access deny all

http_port 3128
coredump_dir                   /var/spool/squid
maximum_object_size_in_memory  512 KB
maximum_object_size            4096 KB
ignore_expect_100              off
cache_mgr                      root
client_persistent_connections  on
server_persistent_connections  on
access_log                     /var/log/squid/access.log squid

# user-defined configuration settings from config_hash
ssl_bump                       server-first all
sslcrtd_children               8 startup=1 idle=1
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /etc/ssl/certs/cache/ -M 4MB https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ca.cert cafile=/etc/squid/ca.cert key=/etc/squid/ca.private sslflags=NO_SESSION_REUSE
http_port                      3129 intercept

logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni %ssl::>cert_subject %>Hs %<st %Ss:%Sh %ssl::bump_mode

access_log syslog:daemon.info mine


Amos Jeffries wrote on 06/02/2015 05:05 PM:
On 3/06/2015 2:46 a.m., Klavs Klavsen wrote:
Amos Jeffries wrote on 06/02/2015 04:10 PM:
On 3/06/2015 1:45 a.m., Klavs Klavsen wrote:
Thank you Amos.

I'll build 3.5.5 then..

any config changes I need to be aware of?

--with-openssl instead of --enable-ssl is the only one that comes to
mind right now. The release notes for 3.4 and 3.5 have the lists.


I borrowed the spec from fedora 23.. :)

After installing 3.5.5 instead - it now complains when trying to issue
certificate :(

squid cache log says:
Error negotiating SSL connection on FD 10: error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate

client gets:
curl: (51) SSL: certificate subject name '64.233.184.103' does not match
target host name 'www.google.com'

any hints for tests I can do, to figure out the problem would be very
much appreciated :)

James Lay has just done some good investigations in his "SSL-bump deep
dive" thread(s). Compare what he came up with to your config

Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users



--
Regards,
Klavs Klavsen, GSEC - kl@xxxxxxx - http://www.vsen.dk - Tlf. 61281200

"Those who do not understand Unix are condemned to reinvent it, poorly."
  --Henry Spencer

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux