On 2021-05-10 22:26, Stephane Simon wrote:
Hello, I try to configure https with ssl bump. I use redhat 8. i follow https://blog.microlinux.fr/squid-https-centos-7/ when i restart squid, he doesn't cooperate and say: "FATAL: The usr/lib64/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 64MB helpers are crashing too rapidly, need help!" i don't know how to fix this error..i dont know why i've this error ^^ Does someone have an idea please ?
The helper crashing is required by Squid to generate certificates for bumping.
Without it working perfectly Squid cannot handle any HTTPS traffic.
http_port 3130 http_port 3128 intercept https_port 3129 intercept ssl-bump \ cert=/etc/squid/ssl_cert/certificat.pem \ generate-host-certificates=on \ dynamic_cert_mem_cache_size=64MB #SSL certificate generation sslcrtd_program usr/lib64/squid/security_file_certgen -s
The path should begin with '/usr/' not just 'usr/
/var/lib/squid/ssl_db -M 64MB
Check that this /var path actually exists. That the low-privilege account the proxy uses has both read and write access to it.
Run the helper command to initialize the database before starting Squid. Do so using the low-privilege account Squid uses to ensure the database files have correct ownership.
sslcrtd_children 32 startup=5 idle=1 # SSL-Bump acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all
Please be aware that this configuration is trying to forge server certificates without having any details about the real server certificate. When you are past the helper problem it is likely that this basic configuration will cause a number of TLS problems.
For bumping as much as possible this is a better config: acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump stare all ssl_bump bump all Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
