Search squid archive

Re: Squid 4.11 Howto create SSL Bump certificates with only 3-12 months date of expiry

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 30/06/20 3:13 am, info wrote:
> 
> Hi Squid Community,
> 
> how can I configure Squid to create SSL Bump Certifications with only
> 3-12 months date of expiry?
> 

As you know Squid uses a helper to generate the certificates. You can
write a helper of your own to generate certificates with any
customizations you like.


> Currently, Squid SSL bumped Certifications are valid 20 years in my
> case, way too long, as Apple & Google & Mozilla will trust only <1 Year
> SSL certifications in the future.
> 

The helper bundled with Squid is supposed to be generating certificates
that mimic the same values received from the origin server.

... except that your config below shows that you are requiring
certificates to be generated without any origin Server information.
Which IIRC means that the CA certificate you configured is used as the
information source for dates etc.


> Thanks for any help!
> Schroeffu
> 
> my conf:
> 
> http_port {{ inventory_hostname }}:{{ squid_port }} ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/etc/squid/certs/(***).pem key=/etc/squid/certs/(***).pem
> sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db
> -M 4MB
> always_direct allow all

always_direct is *not* required for SSL-Bump. It was only ever needed
for a 2-week period many years ago for a bug workaround. Please remove
unless you explicitly have other reasons to use it.

> ssl_bump bump !domains_dont_sslbump

There are three solutions you might use. In order of best to worst they are:

1) Fix the ssl_bump behaviour:

 acl step1 at_step SslBump1
 ssl_bump peek step1
 ssl_bump splice domains_dont_sslbump
 ssl_bump stare all
 ssl_bump bump all


2) Fix the CA certificate you are using

Check the dates configured there give that cert a sort validity time. I
expect you have one saying 20-years right now.

You may want to do this even if you do option #1 above.


3) write your own cert generator helper


Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux