Hey Alex, I have tried to read the documentation and to compose a single certificate validation "call" or "request". The issue with this is that I am unable to do that. It would help a lot if a single verification request would be public and available to me and maybe others. The example shows: 0 cert_validate 1519 host=dmz.example-domain.com cert_0=-----BEGIN CERTIFICATE----- MIID+DCCA2GgAwIBAgIJAIDcHRUxB2O4MA0GCSqGSIb3DQEBBAUAMIGvMQswCQYD ... YpVJGt5CJuNfCcB/ -----END CERTIFICATE----- error_name_0=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error_cert_0=cert0 so where ix the 0x01 byte and where are the new lines? Maybe it's written but I do not see it like in the examples of the external_acl helpres. My assumption for now is that: ## START 0 cert_validate 1519 host=dmz.example-domain.com0x01 cert_0=-----BEGIN CERTIFICATE-----0x01 MIID+DCCA2GgAwIBAgIJAIDcHRUxB2O4MA0GCSqGSIb3DQEBBAUAMIGvMQswCQYD0x01 ... YpVJGt5CJuNfCcB/0x01 -----END CERTIFICATE-----0x01 error_name_0=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT0x01 error_cert_0=cert0\n ## END I am pretty sure I am wrong since the helper I wrote doesn't work. In bash I thing I can use the next echo: echo -n -e 'test\x01' to emulate it but I still don't get it right. Hope for a hint about the subject. Thanks, Eliezer ---- Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1ltd@xxxxxxxxx Zoom: Coming soon -----Original Message----- From: Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> Sent: Monday, December 14, 2020 9:05 PM To: squid-users@xxxxxxxxxxxxxxxxxxxxx Cc: Eliezer Croitor <ngtech1ltd@xxxxxxxxx> Subject: Re: sslcrtvalidator_program On 12/14/20 1:55 PM, Eliezer Croitor wrote: > We can use this as an example for a single transaction in the wiki: > https://gist.githubusercontent.com/elico/a0397c879776336eeae569317015edc1/raw/b34dff8ece76e480007a950655efff3564afcccc/cache.log > Let me know if it's enough to document this subject. I am not sure I understand your question -- the format is already documented. If you think that attaching an example of a raw helper request to that wiki page would help others, please feel free to do so! Just avoid the implication that all helper requests would have the same set of fields. Alex. > -----Original Message----- > From: Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> > Sent: Monday, December 14, 2020 6:42 PM > To: squid-users@xxxxxxxxxxxxxxxxxxxxx > Cc: Eliezer Croitor <ngtech1ltd@xxxxxxxxx> > Subject: Re: sslcrtvalidator_program > > On 12/14/20 4:26 AM, Eliezer Croitor wrote: >> So starts with: >> 0 cert_validate... line > >> And ends with?: >> error_name_0=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT >> error_cert_0=cert0 >> ? > > No. The size of the key=value block is specified on the first request > line. Please try to follow documentation that Amos has pointed you to: > https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator > > If that documentation is missing some details, we should fix it. > > > >> I am unsure, let me try to re-read this section. >> I am missing a fake helper for this.. >> And a "real world" full example. > >> Can someone simulate it for me? > > Glad you found > src/security/cert_validators/fake/security_fake_certverify.pl.in. I hope > it still works! > > > HTH, > > Alex. > > >> -----Original Message----- >> From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Amos Jeffries >> Sent: Monday, December 14, 2020 10:15 AM >> To: squid-users@xxxxxxxxxxxxxxxxxxxxx >> Subject: Re: sslcrtvalidator_program >> >> On 14/12/20 9:11 am, Eliezer Croitor wrote: >>> I am trying to understand the way the sslcrtvalidator_program works. >>> I am pretty sure I have asked this in the past but didn’t found it for some >>> reason. >>> >>> I want to read line by line so. >>> /^-----BEGIN CERTIFICATE-----$/ >>> *** >>> /^-----END CERTIFICATE-----$/ >>> >>> What else should I look for? I was thinking about validating with some extra >>> values in the request, for example ip/domain:port and sni. >>> Are these available in some way? >> >> >> The details you need are all here: >> >> >> <https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator> >> >> Notice that it receives chains of certificates - maybe several, and/or >> out of order. Whatever the client sends. >> >> >> Amos >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users >> >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users >> > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
