Squid not coming up with dynamic host certificate on ssl bum

[bandeep2000 <bandeep2000@xxxxxxxxx>]

Have squid in transparent, want to ssl bump all the connections which are not whitelisted, but when given generate-host-certificates=on , squid keeps crashing when trying to bring it up after service restart.

/var/log/messages

Jan 30 07:05:52 ban-squid-proxy22 squid[23323]: Squid Parent: (squid-1) process 23441 started

Jan 30 07:05:52 ban-squid-proxy22 (squid-1): The ssl_crtd helpers are crashing too rapidly, need help!

Jan 30 07:05:52 ban-squid-proxy22 squid[23323]: Squid Parent: (squid-1) process 23441 exited with status 1

Jan 30 07:05:52 ban-squid-proxy22 squid[23397]: Squid Parent: (squid-1) process 23449 started

Jan 30 07:05:52 ban-squid-proxy22 (squid-1): The ssl_crtd helpers are crashing too rapidly, need help!

Jan 30 07:05:52 ban-squid-proxy22 squid[23397]: Squid Parent: (squid-1) process 23449 exited with status 1

squid.conf details:

visible_hostname squid

cache deny all

#Handling HTTP requests

http_port 3128 intercept

acl allowed_http_sites dstdomain .amazonaws.com .bbc.com

acl blacklist url_regex -i /.(.*?)

#acl allowed_http_sites dstdomain [you can add other domains to permit]

http_access allow allowed_http_sites

http_access deny blacklist

#Handling HTTPS requests

#https_port 3130 cert=/etc/pki/tls/certs/squidCA.pem ssl-bump intercept

#/root/openssl/squid.crt  squid.csr  /root/openssl/squid.key

https_port 3130 cert=/root/openssl/squid.crt key=/root/openssl/squid.key ssl-bump intercept generate-host-certificates=on version=1 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB

acl SSL_port port 443

http_access allow SSL_port

acl allowed_https_sites ssl::server_name .amazonaws.com .cnn.com .yahoo.com .bbc.com

acl step1 at_step SslBump1

acl step2 at_step SslBump2

acl step3 at_step SslBump3

ssl_bump peek step1 all

#ssl_bump peek all

ssl_bump splice step2 allowed_https_sites

ssl_bump splice step3 allowed_https_sites

ssl_bump bump step2 all

http_access deny all

coredump_dir /var/cache/squid

Command to generate SSL certificate:

sudo openssl genrsa -out squid.key 2048
sudo openssl req -new -key squid.key -out squid.csr -subj "/C=XX/ST=XX/L=squid/O=squid/CN=squid"
sudo openssl x509 -req -days 3650 -in squid.csr -signkey squid.key -out squid.crt

Squid and OS version:

squid -v

Squid Cache: Version 3.5.28

Service Name: squid

This binary uses OpenSSL 1.0.1e-fips 11 Feb 2013. For legal restrictions on distribution see https://www.openssl.org/source/license.html

configure options:  '--prefix=/usr' '--includedir=/usr/include' '--datadir=/usr/share' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--sysconfdir=/etc/squid' '--with-logdir=/var/log/squid' '--with-openssl' '--enable-ssl-crtd' --enable-ltdl-convenience

[c5278791@ban-squid-proxy22 ~]$ cat /etc/redhat-release 

CentOS release 6.10 (Final)

[c5278791@ban-squid-proxy22 ~]$ 

Please let me know.

Thanks!

-Bandeep

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users