Thanks a lot for you help !!
I ll look that soon :)
Cordialement, kbvz/Stephane
Le mer., mai 12, 2021 à 14:46, squid3@xxxxxxxxxxxxx<squid3@xxxxxxxxxxxxx> a écrit :On 2021-05-10 22:26, Stephane Simon wrote:
> Hello,
>
> I try to configure https with ssl bump.
> I use redhat 8.
>
> i follow https://blog.microlinux.fr/squid-https-centos-7/
> when i restart squid, he doesn't cooperate and say:
>
> "FATAL: The usr/lib64/squid/security_file_certgen -s
> /var/lib/squid/ssl_db -M 64MB helpers are crashing too rapidly, need
> help!"
>
> i don't know how to fix this error..i dont know why i've this error ^^
>
> Does someone have an idea please ?
The helper crashing is required by Squid to generate certificates for
bumping.
Without it working perfectly Squid cannot handle any HTTPS traffic.
>
> http_port 3130
> http_port 3128 intercept
> https_port 3129 intercept ssl-bump \
> cert=/etc/squid/ssl_cert/certificat.pem \
> generate-host-certificates=on \
> dynamic_cert_mem_cache_size=64MB
>
> #SSL certificate generation
> sslcrtd_program usr/lib64/squid/security_file_certgen -s
The path should begin with '/usr/' not just 'usr/
> /var/lib/squid/ssl_db -M 64MB
Check that this /var path actually exists. That the low-privilege
account the proxy uses has both read and write access to it.
Run the helper command to initialize the database before starting Squid.
Do so using the low-privilege account Squid uses to ensure the database
files have correct ownership.
> sslcrtd_children 32 startup=5 idle=1
>
> # SSL-Bump
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
>
Please be aware that this configuration is trying to forge server
certificates without having any details about the real server
certificate. When you are past the helper problem it is likely that this
basic configuration will cause a number of TLS problems.
For bumping as much as possible this is a better config:
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump stare all
ssl_bump bump all
Amos
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
