Search squid archive

Re: sslbump and caching of generated cert

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

/*
You could assign two workers, each with a different http_port and
ssl_crtd helper using different cert databases.

*/

How to do this? It sounds it might meet our need. 

The reason is that we assign a port for internal, 
so we can use cheap CA (self-generated CA), for the collaboration, we use a diffrent port, 
may need to set up a different CA.

THX

Alex



> Date: Tue, 30 Jun 2015 16:51:51 +1200
> From: squid3@treenet.co.nz
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] sslbump and caching of generated cert
>
> On 30/06/2015 5:35 a.m., Alex Wu wrote:
> > So far as I know, hen sslbump is enabled for a port, for each dns
> > name, squid save a cert generated according to dns name and signing
> > key (from http_port configuration). So the next time, the generated
> > cert can be fetched if the same dns host and configured signing key.
>
> Signing key is just a validation check on the cert. It has nothing else
> to do with the actual cert.
>
> AFAIK generated certs are stored by DN, serial number or hash of the two.
>
> > Now have a question on this:
> >
> > http_port 10045 ssl-bump generate-host-certificates=on
> > dynamic_cert_mem_cache_size=4MB
> > key=/opt/bg/deploy/squid/etc/mydlp/ssl/key_10045.pem
> > cert=/opt/bg/deploy/squid/etc/mydlp/ssl/cert_10045.pem http_port
> > 10046 ssl-bump generate-host-certificates=on
> > dynamic_cert_mem_cache_size=4MB
> > key=/opt/bg/deploy/squid/etc/mydlp/ssl/key_10046.pem
> > cert=/opt/bg/deploy/squid/etc/mydlp/ssl/cert_10046.pem I have two
> > ports configured with SSLBUMP. Each port has its own CA signing key.
> > The desired behavior is that, for the hostname www.foo.com, the
> > certificate generated for the port should use key_10045, and the
> > certificate generated for the port should use key_10046. It seems OK.
> > But, if we look at the ssl_db, only the last generated certificate
> > is cached for www.foo.com. Is it possible to cache the generated
> > certificates by the host and signing key? Alex
>
> Not in the current design.
>
> You could assign two workers, each with a different http_port and
> ssl_crtd helper using different cert databases.
>
>
> What is the point of this anyway? Why do you want to make your users
> face a constant stream of nasty certificate-changed errors?
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux