Search squid archive

Re: Squid 4.5 and intermediate CA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

There should be a new acl names “certificate-fetching”

So I assume you can use something like:

 

acl certfetch transaction_initiator certificate-fetching

http_access allow certfetch

 

Eliezer

 

----

Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer@xxxxxxxxxxxx

cid:image001.png@01D2675E.DCF360D0

 

From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of FredB
Sent: Tuesday, January 15, 2019 17:59
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Squid 4.5 and intermediate CA

 

Hi all,

I'm testing squid 4.5 and facing two issues with intermediate CA download

At first there is no source IP and I don't know how to allow this kind of requests with an identification acl

172.23.0.9 - user2 [15/Jan/2019:16:34:51 +0100] "CONNECT bugs.squid-cache.org:443 HTTP/1.1" 407 4442 447 TCP_DENIED:HIER_NONE "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" -

- - - [15/Jan/2019:16:34:51 +0100] "GET http://cert.int-x3.letsencrypt.org/ HTTP/1.1" 407 3536 0 TCP_DENIED:HIER_NONE "-" -

172.23.0.9 - user2 [15/Jan/2019:16:34:51 +0100] "CONNECT bugs.squid-cache.org:443 HTTP/1.1" 200 0 447 NONE:HIER_DIRECT "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" bump

As you can see the request to letsencrypt is denied because a basic authentication is needed, how I can do a global ACL allow requests from squid ? I tested 127.0.0.1,local addresses but without any success

So for testing purpose I removed my identification rules

Now Squid can get the certificate

- - - [15/Jan/2019:16:33:43 +0100] "GET http://cert.int-x3.letsencrypt.org/ HTTP/1.1" 200 9737 0 NONE:HIER_NONE "-" -

172.23.0.9 - - [15/Jan/2019:16:33:43 +0100] "CONNECT bugs.squid-cache.org:443 HTTP/1.1" 200 0 447 NONE:HIER_DIRECT "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" bump

172.23.0.9 - - [15/Jan/2019:16:33:43 +0100] "GET https://bugs.squid-cache.org/ HTTP/1.1" 503 353 349 NONE:HIER_NONE "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" -

Cache.log

ssl3_get_server_certificate:certificate verify failed (1/-1/0)

I'm missing something?

Thanks

FredB

 

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux