Seems latest 4.0.21 is good enough. Most critical SSL-related bugs almost closed or closed.
At least latest 3.5.27 is released. AFAIK this is minimum to problem-free running.
Repositories software sometimes has strange quirks, or sometimes rancid.
12.09.2017 2:05, Rohit Sodhia пишет:
I'll try to find it, but I read a few articles/SO questions that suggested there were bugs in 4 relating to SSL bumping? If they were wrong, I'd be glad to go forward. Should I be removing the yum squid package and compile my own? Is 3.5 problematic besides being old?
On Mon, Sep 11, 2017 at 4:02 PM, Yuri <yvoinov@xxxxxxxxx> wrote:
Wait. Squid 3.5.20? So ancient?
12.09.2017 1:58, Rohit Sodhia пишет:
I used the line from the Stack Overflow question I linked earlier.sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
On Mon, Sep 11, 2017 at 3:41 PM, Yuri <yvoinov@xxxxxxxxx> wrote:
Well. Let's check more deep.
Show me parameter sslcrtd_program in your squid.conf
12.09.2017 1:23, Rohit Sodhia пишет:
to my config (first two lines), made sure /var/lib/ssl_db and it's contents were set to squid:squid and restarted the service, but I'm still getting the same error :(Unfortunately, no luck yet. Thank you again for your help before.I found that the user squid and group squid existed already, so I added
cache_effective_user squid
cache_effective_group squid
On Mon, Sep 11, 2017 at 2:42 PM, Rohit Sodhia <sodhia.rohit@xxxxxxxxx> wrote:
I'll try that immediately, thanks! I appreciate all your advice; hopefully I won't have to reach out again :p
On Mon, Sep 11, 2017 at 2:39 PM, Yuri <yvoinov@xxxxxxxxx> wrote:
I'm not Linux fanboy, but modern squid never runs as root. So, most probably it runs as nobody user.
Ah, yes:
# TAG: cache_effective_user
# If you start Squid as root, it will change its effective/real
# UID/GID to the user specified below. The default is to change
# to UID of nobody.
# see also; cache_effective_group
#Default:
# cache_effective_user nobody
# TAG: cache_effective_group
# Squid sets the GID to the effective user's default group ID
# (taken from the password file) and supplementary group list
# from the groups membership.
#
# If you want Squid to run with a specific GID regardless of
# the group memberships of the effective user then set this
# to the group (or GID) you want Squid to run as. When set
# all other group privileges of the effective user are ignored
# and only this GID is effective. If Squid is not started as
# root the user starting Squid MUST be member of the specified
# group.
#
# This option is not recommended by the Squid Team.
# Our preference is for administrators to configure a secure
# user account for squid with UID/GID matching system policies.
#Default:
# Use system group memberships of the cache_effective_user account
As documented. :)
AFAIK best solution is create non-privileged group & user (like squid/squid) and set both this parameters explicity.
Then change owner recursively on SSL cache to this user.
12.09.2017 0:36, Rohit Sodhia пишет:
Neither of those values are set in my config. Even though I'm not using squid for caching, I need those values? They aren't set in the default configs either.
On Mon, Sep 11, 2017 at 2:33 PM, Yuri <yvoinov@xxxxxxxxx> wrote:
Most probably you squid runs as another user than squid.
Check your squid.conf for cache_effective_user and cache_effective_group values.
Then change SSL cache permissions to this values. Should work.
12.09.2017 0:30, Rohit Sodhia пишет:
Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it set it up like that. I changed the owner and group to squid:squid and tried restarting squid, but still get the same errors. I thought to run the command again, but this time it saysIf this folder has incorrect permissions are there possibly other permission issues?
/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db
On Mon, Sep 11, 2017 at 2:25 PM, Yuri <yvoinov@xxxxxxxxx> wrote:
Here you root of problem.
Should be (on my setups):
# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid 5 Sep 5 00:53 .
drwxr-xr-x 8 root other 8 Sep 5 00:53 ..
drwxr-xr-x 2 squid squid 454 Sep 11 23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
-rw-r--r-- 1 squid squid 7 Sep 11 23:37 size
I.e. Squid has no access to SSL cache dir structures.
12.09.2017 0:23, Rohit Sodhia пишет:
total 8
drwxr-xr-x. 3 root root 48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x. 2 root root 6 Sep 11 12:42 certs
-rw-r--r--. 1 root root 0 Sep 11 12:42 index.txt
-rw-r--r--. 1 root root 1 Sep 11 12:42 size
On Mon, Sep 11, 2017 at 2:22 PM, Yuri <yvoinov@xxxxxxxxx> wrote:
Show output of
ls -al /var/lib/ssl_db
12.09.2017 0:21, Rohit Sodhia пишет:
Yes, but telling me it's crashing unfortunately doesn't help me figure out why or how to fix it. I've run the command it suggests but it doesn't help. I'm unfortunately not an ops guy familiar with this kind of stuff; I don't see anything on how to figure out what to do about it.
On Mon, Sep 11, 2017 at 2:17 PM, Yuri <yvoinov@xxxxxxxxx> wrote:
It tells you what's happens.
11.09.2017 23:50, Rohit Sodhia пишет:
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users