I have been trying to get this working for days without success. Trying to setup Squid with https inspection as an explicit proxy. On OpenBSD current (# uname -srv -> OpenBSD 5.9 GENERIC.MP#1783) Running squid from packages (# pkg_info | grep squid -> squid-3.5.13) # squid -v Squid Cache: Version 3.5.13 Service Name: squid configure options: '--disable-strict-error-checking' '--disable-arch-native' '--enable-shared' '--datadir=/usr/local/share/squid' '--libexecdir=/usr/local/libexec/squid' '--disable-loadable-modules' '--enable-arp-acl' '--enable-auth' '--enable-delay-pools' '--enable-follow-x-forwarded-for' '--enable-forw-via-db' '--enable-http-violations' '--enable-icap-client' '--enable-ipv6' '--enable-referer-log' '--enable-removal-policies=lru heap' '--enable-ssl' '--enable-ssl-crtd' '--with-openssl' '--enable-storeio=aufs ufs diskd' '--with-default-user=_squid' '--with-filedescriptors=8192' '--with-krb5-config=no' '--with-pidfile=/var/run/squid.pid' '--with-pthreads' '--with-swapdir=/var/squid/cache' '--disable-pf-transparent' '--enable-ipfw-transparent' '--enable-external-acl-helpers=LDAP_group SQL_session file_userip time_quota unix_group wbinfo_group LDAP_group eDirectory_userip' '--prefix=/usr/local' '--sysconfdir=/etc/squid' '--mandir=/usr/local/man' '--infodir=/usr/local/info' '--localstatedir=/var/squid' '--disable-silent-rules' '--disable-gtk-doc' 'CC=cc' 'CFLAGS=-O2 -pipe' 'LDFLAGS=-L/usr/local/lib' 'CPPFLAGS=-I/usr/local/include' 'CXX=c++' 'CXXFLAGS=-O2 -pipe' (as above, compiled with enable-ssl and enable-ssl-crtd) With a basic squid.conf file: # cat /etc/squid/squid.conf ----- acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http http_access deny !Safe_ports http_access allow localnet http_access deny all http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB ssl_bump stare all ssl_bump bump all always_direct allow all sslproxy_cafile /etc/ssl/cert.pem sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/ssl_db -M 8MB sslcrtd_children 32 startup=5 idle=1 cache_dir ufs /var/squid/cache 50000 64 512 coredump_dir /var/squid/cache refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 ----- Certificates made per the squid wiki at: http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit # cd /etc/squid/ssl_cert # openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout myCA.pem -out myCA.pem # ls -lah /etc/squid drwxr-xr-x 4 root wheel 512B Jan 24 20:33 . drwxr-xr-x 35 root wheel 2.0K Jan 23 16:17 .. -rw-r--r-- 1 root wheel 692B Jan 17 10:22 cachemgr.conf -rw-r--r-- 1 root wheel 1.8K Jan 17 10:22 errorpage.css -rw-r--r-- 1 root wheel 11.8K Jan 17 10:22 mime.conf -rw-r--r-- 1 root wheel 1.1K Jan 24 21:36 squid.conf drwx------ 2 _squid _squid 512B Jan 24 18:23 ssl_cert # ls -lah /etc/squid/ssl_cert drwx------ 2 _squid _squid 512B Jan 24 18:23 . drwxr-xr-x 3 root wheel 512B Jan 24 23:39 .. -rw------- 1 _squid _squid 2.9K Jan 24 17:07 myCA.pem Made a .der verison: # openssl x509 -in myCA.pem -outform DER -out myCA.der And imported it into the "Authorities" section of Firefox certificate store, giving it all "trust settings." ssl_crtd is present and executable: # ls -lah /usr/local/libexec/squid/ssl_crtd -r-xr-xr-x 1 root bin 97.7K Jan 15 16:31 /usr/local/libexec/squid/ssl_crtd Created dynamic certificate directory structure: # /usr/local/libexec/squid/ssl_crtd -c -s /var/squid/ssl_db # chown -R _squid._squid /var/squid/ssl_db # ls -lah /var/squid drwxrwx--x 5 _squid _squid 512B Jan 24 23:42 . drwxr-xr-x 25 root wheel 512B Jan 19 19:47 .. drwxrwx--x 66 _squid _squid 1.0K Jan 24 21:44 cache drwxrwxr-x 2 _squid _squid 512B Jan 24 03:00 logs drwxr-xr-x 3 _squid _squid 512B Jan 24 23:42 ssl_db # ls -lah /var/squid/ssl_db drwxr-xr-x 3 _squid _squid 512B Jan 24 23:42 . drwxrwx--x 5 _squid _squid 512B Jan 24 23:42 .. drwxr-xr-x 2 _squid _squid 512B Jan 24 23:42 certs -rw-r--r-- 1 _squid _squid 0B Jan 24 23:42 index.txt -rw-r--r-- 1 _squid _squid 1B Jan 24 23:42 size No, "serial" present, so it was added: # echo "101" > /var/squid/ssl_db/serial # chown _squid /var/squid/ssl_db/serial squid starts without error: # /usr/local/sbin/squid -d 1 -N 2016/01/24 23:45:53| Set Current Directory to /var/squid/cache 2016/01/24 23:45:53| Starting Squid Cache version 3.5.13 for x86_64-unknown-openbsd5.9... 2016/01/24 23:45:53| Service Name: squid 2016/01/24 23:45:53| Process ID 763 2016/01/24 23:45:53| Process Roles: master worker 2016/01/24 23:45:53| With 128 file descriptors available 2016/01/24 23:45:53| Initializing IP Cache... 2016/01/24 23:45:53| DNS Socket created at [::], FD 10 2016/01/24 23:45:53| DNS Socket created at 0.0.0.0, FD 11 2016/01/24 23:45:53| Adding domain wynnychenko.com from /etc/resolv.conf 2016/01/24 23:45:53| Adding nameserver 10.0.28.128 from /etc/resolv.conf 2016/01/24 23:45:53| Adding nameserver 10.0.28.129 from /etc/resolv.conf 2016/01/24 23:45:53| helperOpenServers: Starting 5/32 'ssl_crtd' processes 2016/01/24 23:45:53| Logfile: opening log daemon:/var/squid/logs/access.log 2016/01/24 23:45:53| Logfile Daemon: opening log /var/squid/logs/access.log 2016/01/24 23:45:53| Unlinkd pipe opened on FD 28 2016/01/24 23:45:53| Store logging disabled 2016/01/24 23:45:53| Swap maxSize 51200000 + 262144 KB, estimated 3958626 objects 2016/01/24 23:45:53| Target number of buckets: 197931 2016/01/24 23:45:53| Using 262144 Store buckets 2016/01/24 23:45:53| Max Mem size: 262144 KB 2016/01/24 23:45:53| Max Swap size: 51200000 KB 2016/01/24 23:45:53| Rebuilding storage in /var/squid/cache (clean log) 2016/01/24 23:45:53| Using Least Load store dir selection 2016/01/24 23:45:53| Set Current Directory to /var/squid/cache 2016/01/24 23:45:54| Finished loading MIME types and icons. 2016/01/24 23:45:54| HTCP Disabled. 2016/01/24 23:45:54| Adaptation support is off. 2016/01/24 23:45:54| Accepting SSL bumped HTTP Socket connections at local=[::]:3128 remote=[::] FD 31 flags=9 2016/01/24 23:45:54| Accepting SSL bumped HTTP Socket connections at local=0.0.0.0:3128 remote=[::] FD 32 flags=9 2016/01/24 23:45:54| Done reading /var/squid/cache swaplog (312 entries) 2016/01/24 23:45:54| Finished rebuilding storage from disk. 2016/01/24 23:45:54| 312 Entries scanned 2016/01/24 23:45:54| 0 Invalid entries. 2016/01/24 23:45:54| 0 With invalid flags. 2016/01/24 23:45:54| 312 Objects loaded. 2016/01/24 23:45:54| 0 Objects expired. 2016/01/24 23:45:54| 0 Objects cancelled. 2016/01/24 23:45:54| 0 Duplicate URLs purged. 2016/01/24 23:45:54| 0 Swapfile clashes avoided. 2016/01/24 23:45:54| Took 0.06 seconds (4937.57 objects/sec). 2016/01/24 23:45:54| Beginning Validation Procedure 2016/01/24 23:45:54| Completed Validation Procedure 2016/01/24 23:45:54| Validated 312 Entries 2016/01/24 23:45:54| store_swap_size = 4850.00 KB 2016/01/24 23:45:54| storeLateRelease: released 0 objects running as expected: # ps aux | grep squid _squid 26037 0.0 0.1 844 4824 ?? Ss 11:46PM 0:00.03 (ssl_crtd) -s /var/squid/ssl_db -M 8MB -b 2048 (ssl_crtd) _squid 6398 0.0 0.1 840 4836 ?? Ss 11:46PM 0:00.03 (ssl_crtd) -s /var/squid/ssl_db -M 8MB -b 2048 (ssl_crtd) _squid 12848 0.0 0.1 840 4852 ?? Ss 11:46PM 0:00.05 (ssl_crtd) -s /var/squid/ssl_db -M 8MB -b 2048 (ssl_crtd) _squid 5788 0.0 0.1 840 4844 ?? Ss 11:46PM 0:00.03 (ssl_crtd) -s /var/squid/ssl_db -M 8MB -b 2048 (ssl_crtd) _squid 13372 0.0 0.1 844 4844 ?? Ss 11:46PM 0:00.06 (ssl_crtd) -s /var/squid/ssl_db -M 8MB -b 2048 (ssl_crtd) _squid 17491 0.0 0.0 444 1616 ?? Ss 11:46PM 0:00.04 (logfile-daemon) /var/squid/logs/access.log (log_file_daemon) _squid 13973 0.0 0.0 320 1452 ?? Ss 11:46PM 0:00.07 (unlinkd) (unlinkd) _squid 896 0.3 0.2 18132 19132 p0 S+ 11:46PM 0:00.43 /usr/local/sbin/squid -d 1 -N root 19831 0.0 0.0 160 304 p1 R+ 11:46PM 0:00.00 grep squid Now, I point Firefox at the proxy, and the proxy works with http. For example: http://www.squid-cache.org/ is rendered in the browser, and /var/squid/logs/access.log shows: 1453701132.838 2412 10.0.128.10 TCP_MISS_ABORTED/000 0 GET http://www.squid-cache.org/ - HIER_DIRECT/209.169.10.131 - 1453701132.941 93 10.0.128.10 TCP_MISS/200 3533 GET http://www.squid-cache.org/ - HIER_DIRECT/209.169.10.131 text/html 1453701133.013 44 10.0.128.10 TCP_MISS/200 1715 GET http://www.squid-cache.org/default.css - HIER_DIRECT/209.169.10.131 text/css 1453701133.115 101 10.0.128.10 TCP_MISS/200 29148 GET http://www.squid-cache.org/Images/img4.jpg - HIER_DIRECT/209.169.10.131 image/jpeg 1453701133.116 95 10.0.128.10 TCP_MISS/200 459 GET http://www.squid-cache.org/Images/img2.gif - HIER_DIRECT/209.169.10.131 image/gif 1453701133.117 95 10.0.128.10 TCP_MISS/200 789 GET http://www.squid-cache.org/Images/img3.gif - HIER_DIRECT/209.169.10.131 image/gif 1453701133.117 96 10.0.128.10 TCP_MISS/200 797 GET http://www.squid-cache.org/Images/img1.gif - HIER_DIRECT/209.169.10.131 image/gif 1453701133.117 94 10.0.128.10 TCP_MISS/200 442 GET http://www.squid-cache.org/Images/img5.gif - HIER_DIRECT/209.169.10.131 image/gif 1453701133.123 98 10.0.128.10 TCP_MISS/200 440 GET http://www.squid-cache.org/Images/img7.gif - HIER_DIRECT/209.169.10.131 image/gif 1453701133.123 99 10.0.128.10 TCP_MISS/200 775 GET http://www.squid-cache.org/Images/img8.gif - HIER_DIRECT/209.169.10.131 image/gif 1453701133.211 44 10.0.128.10 TCP_MISS/200 1763 GET http://www.squid-cache.org/favicon.ico - HIER_DIRECT/209.169.10.131 image/vnd.microsoft.icon and reloading http://www.squid-cache.org/ shows: 1453701223.042 0 10.0.128.10 TCP_HIT/200 3543 GET http://www.squid-cache.org/ - HIER_NONE/- text/html 1453701223.198 130 10.0.128.10 TCP_REFRESH_MODIFIED/200 1715 GET http://www.squid-cache.org/default.css - HIER_DIRECT/209.169.10.131 text/css 1453701223.248 48 10.0.128.10 TCP_REFRESH_UNMODIFIED/304 248 GET http://www.squid-cache.org/Images/img4.jpg - HIER_DIRECT/209.169.10.131 - 1453701223.306 101 10.0.128.10 TCP_REFRESH_UNMODIFIED/304 246 GET http://www.squid-cache.org/Images/img2.gif - HIER_DIRECT/209.169.10.131 - 1453701223.307 101 10.0.128.10 TCP_REFRESH_UNMODIFIED/304 247 GET http://www.squid-cache.org/Images/img1.gif - HIER_DIRECT/209.169.10.131 - 1453701223.307 99 10.0.128.10 TCP_REFRESH_UNMODIFIED/304 247 GET http://www.squid-cache.org/Images/img8.gif - HIER_DIRECT/209.169.10.131 - 1453701223.307 98 10.0.128.10 TCP_REFRESH_UNMODIFIED/304 246 GET http://www.squid-cache.org/Images/img7.gif - HIER_DIRECT/209.169.10.131 - 1453701223.307 101 10.0.128.10 TCP_REFRESH_UNMODIFIED/304 247 GET http://www.squid-cache.org/Images/img3.gif - HIER_DIRECT/209.169.10.131 - 1453701223.307 100 10.0.128.10 TCP_REFRESH_UNMODIFIED/304 246 GET http://www.squid-cache.org/Images/img5.gif - HIER_DIRECT/209.169.10.131 - But, if I try to connect to a https site like google: https://google.com, nothing happens, and the browser is just spinning with "Connecting..." displayed. The squid instance (running in the foreground) spits out a line: 2016/01/24 23:56:57| hold write on SSL connection on FD 26 If I try another https like yahoo: https://yahoo.com, nothing happens in the browser as well, just "Connecting..." But, the squid instance spits out: 2016/01/24 23:59:04| Error negotiating SSL on FD 19: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0) 2016/01/24 23:59:04| Error negotiating SSL on FD 21: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0) Now, if I remove the "ssl_bump stare all" line from squid.conf, and try: https://yahoo.com Firefox returns: ----- This Connection is Untrusted You have asked Firefox to connect securely to yahoo.com, but we can't confirm that your connection is secure. ... yahoo.com uses an invalid security certificate. The certificate is only valid for ... (Error code: ssl_error_bad_cert_domain) ----- And trying: https://google.com Firefox returns: ----- This Connection is Untrusted You have asked Firefox to connect securely to www.google.com, but we can't confirm that your connection is secure. ... This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate. www.google.com uses an invalid security certificate. The certificate is only valid for ... (Error code: ssl_error_bad_cert_domain) ----- In both instances, the certificate being presented to the Firefox client is the "Squid CA" certificate created above. And, checking: # ls -lah /var/squid/ssl_db drwxr-xr-x 3 _squid _squid 512B Jan 24 23:44 . drwxrwx--x 5 _squid _squid 512B Jan 24 23:42 .. drwxr-xr-x 2 _squid _squid 512B Jan 24 23:42 certs -rw-r--r-- 1 _squid _squid 0B Jan 24 23:42 index.txt -rw-r--r-- 1 _squid _squid 4B Jan 24 23:44 serial -rw-r--r-- 1 _squid _squid 1B Jan 24 23:42 size # ls -lah /var/squid/ssl_db/certs drwxr-xr-x 2 _squid _squid 512B Jan 24 23:42 . drwxr-xr-x 3 _squid _squid 512B Jan 24 23:44 .. Shows no changes. It appears that this is a problem with dynamic certificate creation, but I have no idea how to proceed. I have been blindly playing with configuration changes and directives, but have never had a "better" outcome that what is described above. Any help would be greatly appreciated. Thanks
<<attachment: smime.p7s>>
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
