Re: [squid-users] sslbump with pkcs11 possible ?
On 13/02/20 1:54 am, Dieter Bloms wrote: > Hello, > > I have a working setup with openssl, which use softhsm as pkcs11 > backend. > I can sign csr requests with openssl command line tool. > > Now I want to use this mechanism for squid ssl-bump. > > Is it possible to use the pkcs11 mechanism with squid and openssl ? Not currently. Squid takes credentials from files in PEM format. The PKCS data formats are quite different. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] sslbump with pkcs11 possible ?
Hello, I have a working setup with openssl, which use softhsm as pkcs11 backend. I can sign csr requests with openssl command line tool. Now I want to use this mechanism for squid ssl-bump. Is it possible to use the pkcs11 mechanism with squid and openssl ? I tried someting like: http_port MYIP:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cacert.pem key=pkcs11:id=10 tls-dh=/etc/squid/dhparams.pem but squid claims: --snip-- 2020/02/12 13:50:35| Initializing https:// proxy context 2020/02/12 13:50:35| Initializing http_port MYIP:3128 TLS contexts 2020/02/12 13:50:35| Using certificate in /etc/squid/cacert.pem 2020/02/12 13:50:35| Using certificate chain in /etc/squid/cacert.pem 2020/02/12 13:50:35| Adding issuer CA: /CN=dietershttpsca 2020/02/12 13:50:35| Using key in pkcs11:id=10 2020/02/12 13:50:35| WARNING: 'HTTP_port MYIP:3128' missing private key in 'pkcs11:id=10' 2020/02/12 13:50:35| storeDirWriteCleanLogs: Starting... 2020/02/12 13:50:35| Finished. Wrote 0 entries. 2020/02/12 13:50:35| Took 0.00 seconds ( 0.00 entries/sec). 2020/02/12 13:50:35| FATAL: No valid signing certificate configured for HTTP_port MYIP:3128 2020/02/12 13:50:35| Squid Cache (Version 4.10): Terminated abnormally. CPU Usage: 0.816 seconds = 0.812 user + 0.004 sys Maximum Resident Size: 42240 KB Page faults with physical i/o: 0 --snip-- does anybody know, whether squid supports it and if yes how to configure it ? -- regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
