On 1/18/21 11:53 AM, Eliezer Croitoru wrote: > I have tried to read the documentation and to compose a single certificate validation "call" or "request". > It would help a lot if a single verification request would be public and available to me and maybe others. As I said, please feel free to add that example to the wiki. I do not have one, but you should be able to collect a sample using strace or helper debugging. > The example shows: > 0 cert_validate 1519 host=dmz.example-domain.com > cert_0=-----BEGIN CERTIFICATE----- > MIID+DCCA2GgAwIBAgIJAIDcHRUxB2O4MA0GCSqGSIb3DQEBBAUAMIGvMQswCQYD > ... > YpVJGt5CJuNfCcB/ > -----END CERTIFICATE----- > error_name_0=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT > error_cert_0=cert0 > so where ix the 0x01 byte I have not checked carefully, but I do not think the 0x01 delimiter is used for certificate generation or validation requests. Their framing should be size-based, not EOM-delimiter based -- it does not make sense to use both at once! If you can confirm that suspicion, you should fix Squid wiki accordingly. > and where are the new lines? Probably where you see them in the sample. > Hope for a hint about the subject. You should be able to collect it using strace or by adding debugging to a test helper that simply prints everything it receives, using, say, c-string escapes or URL encoding for any special character. HTH, Alex. > -----Original Message----- > From: Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> > Sent: Monday, December 14, 2020 9:05 PM > To: squid-users@xxxxxxxxxxxxxxxxxxxxx > Cc: Eliezer Croitor <ngtech1ltd@xxxxxxxxx> > Subject: Re: sslcrtvalidator_program > > On 12/14/20 1:55 PM, Eliezer Croitor wrote: > >> We can use this as an example for a single transaction in the wiki: >> https://gist.githubusercontent.com/elico/a0397c879776336eeae569317015edc1/raw/b34dff8ece76e480007a950655efff3564afcccc/cache.log > >> Let me know if it's enough to document this subject. > > I am not sure I understand your question -- the format is already > documented. If you think that attaching an example of a raw helper > request to that wiki page would help others, please feel free to do so! > Just avoid the implication that all helper requests would have the same > set of fields. > > Alex. > > >> -----Original Message----- >> From: Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> >> Sent: Monday, December 14, 2020 6:42 PM >> To: squid-users@xxxxxxxxxxxxxxxxxxxxx >> Cc: Eliezer Croitor <ngtech1ltd@xxxxxxxxx> >> Subject: Re: sslcrtvalidator_program >> >> On 12/14/20 4:26 AM, Eliezer Croitor wrote: >>> So starts with: >>> 0 cert_validate... line >> >>> And ends with?: >>> error_name_0=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT >>> error_cert_0=cert0 >>> ? >> >> No. The size of the key=value block is specified on the first request >> line. Please try to follow documentation that Amos has pointed you to: >> https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator >> >> If that documentation is missing some details, we should fix it. >> >> >> >>> I am unsure, let me try to re-read this section. >>> I am missing a fake helper for this.. >>> And a "real world" full example. >> >>> Can someone simulate it for me? >> >> Glad you found >> src/security/cert_validators/fake/security_fake_certverify.pl.in. I hope >> it still works! >> >> >> HTH, >> >> Alex. >> >> >>> -----Original Message----- >>> From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Amos Jeffries >>> Sent: Monday, December 14, 2020 10:15 AM >>> To: squid-users@xxxxxxxxxxxxxxxxxxxxx >>> Subject: Re: sslcrtvalidator_program >>> >>> On 14/12/20 9:11 am, Eliezer Croitor wrote: >>>> I am trying to understand the way the sslcrtvalidator_program works. >>>> I am pretty sure I have asked this in the past but didn’t found it for some >>>> reason. >>>> >>>> I want to read line by line so. >>>> /^-----BEGIN CERTIFICATE-----$/ >>>> *** >>>> /^-----END CERTIFICATE-----$/ >>>> >>>> What else should I look for? I was thinking about validating with some extra >>>> values in the request, for example ip/domain:port and sni. >>>> Are these available in some way? >>> >>> >>> The details you need are all here: >>> >>> >>> <https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator> >>> >>> Notice that it receives chains of certificates - maybe several, and/or >>> out of order. Whatever the client sends. >>> >>> >>> Amos >>> _______________________________________________ >>> squid-users mailing list >>> squid-users@xxxxxxxxxxxxxxxxxxxxx >>> http://lists.squid-cache.org/listinfo/squid-users >>> >>> _______________________________________________ >>> squid-users mailing list >>> squid-users@xxxxxxxxxxxxxxxxxxxxx >>> http://lists.squid-cache.org/listinfo/squid-users >>> >> > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
