On 07.10.2015 16:48, Amos Jeffries wrote:
or sslcrtvalidator_program cache=8192 ttl=240 /usr/lib64/squid/cert_valid.pl sslcrtvalidator_children 12 startup=5 idle=1 concurrency=1 can I have a working sample of valid_cert.pl that results in an "access denied" or any other error page of squid?An ERR result from the helper should result in the invalid certificate handling happening in Squid. Whether that results in a particular error page (or not) depends on several things I'm not completely certain about.
Not really, there happens nothing different;
(it may bring this on any page that is ssl_bumped, so I know the interface, because this here: http://wiki.squid-cache.org/Features/SslServerCertValidator is wrong;Ah. I see the concurrency channel is not documented, but is being sent. What Squid version are you using?
I'm using squid 3.4.10, the build from Eliezer http://www1.ngtech.co.il/rpm/centos/6/x86_64/squid-3.4.10-1.el6.x86_64.rpm and http://www1.ngtech.co.il/rpm/centos/6/x86_64/squid-helpers-3.4.10-1.el6.x86_64.rpm
be careful, this is part of the helper script above, to catch the content, whats sent to the helper ...instead of /usr/lib64/squid/cert_valid.pl I used a bash-script with this content #!/bin/bash myprog 2>>/tmp/pre.log |/usr/lib64/squid/cert_valid.pl and the C source of myprog: #include<fcntl.h> #include<stdio.h> int main( int argc, char* argv[ ] ) { static char szBuf[ 260 ]; int nLen; while( ( nLen = read( 0, (void*) szBuf, 256 ) )> 0 ) { write( 1, (void*) szBuf, nLen ); write( 2, (void*) szBuf, nLen ); } return 0; }This helper is broken. The protocol here or even other helpers, has never been to dump the input back to Squid.
Input and output "lines" have different syntax and contents.
of course ...
so I got the ident content as stdout and stderr and there I catched e.g. this: <CATCH CONTENT> 0 cert_validate 3373 host=revoked.grc.com cert_0=-----BEGIN CERTIFICATE-----<snip>-----END CERTIFICATE----- </CATCH CONTENT> with this I could programme a correct certificate validator using OpenSSL, but I MUST have a little bit more precise knowledge about the correct interface; can someone please explain how the 3373 of the CATCH CONTENT above is calculated?Documented in the wiki: "Total size of the following request bytes taken by the key=pair parameters." That is the byte size of the "host=...END CERTIFICATE-----" key-pair part of the message.
Ok, I'll try if something was kicked away ...
returns always "0 OK 0 \1" what does \1 mean here?\1 is the binary code (0x01) for end of line/message this helper requires. We cannot use \n like other helpers since several \n are part of the cert PEM format.
is this also true for requests this helper receives? Thanks, Walter
<<attachment: smime.p7s>>
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
