Re: [squid-users] dynamic ssl certificate generation - ip addresses

[Lennert Rienau]

> Because you use client-first bumping on intercepted traffic.
> The only details Squid has at that point are the IP address and port the
> clients ws connecting to.
>
> You need server-first bumping to contact the server and find out what
> domain(s) its certificate indicate.

Thank you for your anwser, when i change it to ssl-server-first mode this error 
appears: "FATAL: unknown ssl_bump mode: ssl-server-first".

Should i apply this patch: 
http://www.squid-cache.org/mail-archive/squid-dev/201207/att-0144/BumpSslServerFirst-t11-Amos-requests-part.patch
or is there another workaround? i run squid 3.3.9.

Thanks!

[squid-users] dynamic ssl certificate generation - ip addresses

[Lennert Rienau]

Hi,
i want squid to create dynamic ssl certificates in intercept mode, which works, 
but squid uses ip-addresses for the certificates of the site, not the host name.
 
Does anybody know why this happens?
 
squid.conf:

cache_effective_user squid
cache_effective_group squid
 
#acl localhost src 127.0.0.1/32 ::1
acl localnet src 192.168.42.0/24
acl blocknet src 192.168.42.10-192.168.42.50
 
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
 
ssl_bump client-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
always_direct allow all
 
http_access allow all
 
http_port 192.168.42.1:3128 intercept
 
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/ssl_db -M 4MB
sslcrtd_children 5
 
https_port 192.168.42.1:3127 transparent ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem

 
Thank you!