[squid-users] Help with server-first and mimic server certificate
Hi, I have been trying to set up squid which can intercept https traffic without client (read it as browser proxy) changes. I am using the latest squid 3.3.1. When I actually open a https site I still see the certificate with the parameters I provided (for myCA.pem) and I dont see any of the original certificate's properties being mimicked. I have listed my config below. Please let me know whether I am missing anything. Pardon me if am overlooking any config. I am relatively new to squid. My iptable config: Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- anywhere anywheretcp dpt:www redir ports 3128 REDIRECT tcp -- anywhere anywheretcp dpt:https redir ports 3129 My Squid config: http_access deny all always_direct allow all ssl_bump server-first all # Squid normally listens to port 3128 http_port 3128 transparent https_port 3129 intercept cert=/etc/squid/ssl_cert/myCA.pem ssl-bump #icap settings icap_serviceservice_url_check reqmod_precache bypass=on icap://127.0.0.1:1344/url_check icap_enable on icap_preview_size 128 icap_service_failure_limit -1 icap_preview_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_header X-Authenticated-User icap_client_username_encode on adaptation_service_set class_url_check service_url_check adaptation_access class_url_check allow all Thanks & Regards, Prasanna
Re: [squid-users] Help with server-first and mimic server certificate
Hi Amos, Thanks for your help. By adding "generate-host-certificates=on" to the config I could see the host servers' certificates being mimicked. https_port 3129 intercept generate-host-certificates=on cert=/etc/squid/ssl_cert/myCA.pem ssl-bump Regards, Prasanna On 2/15/13, Amos Jeffries wrote: > On 15/02/2013 2:23 a.m., Prasanna Venkateswaran wrote: >> Hi, >>I have been trying to set up squid which can intercept https >> traffic without client (read it as browser proxy) changes. I am using >> the latest squid 3.3.1. When I actually open a https site I still see >> the certificate with the parameters I provided (for myCA.pem) and I >> dont see any of the original certificate's properties being mimicked. >> I have listed my config below. Please let me know whether I am missing >> anything. Pardon me if am overlooking any config. I am relatively new >> to squid. >> >> My iptable config: >> >> Chain PREROUTING (policy ACCEPT) >> target prot opt source destination >> REDIRECT tcp -- anywhere anywheretcp >> dpt:www redir ports 3128 >> REDIRECT tcp -- anywhere anywheretcp >> dpt:https redir ports 3129 >> >> >> My Squid config: >> >> http_access deny all >> always_direct allow all >> ssl_bump server-first all >> >> # Squid normally listens to port 3128 >> http_port 3128 transparent >> https_port 3129 intercept cert=/etc/squid/ssl_cert/myCA.pem ssl-bump > > Mimic only works when the certificate is being created by Squid. > > The above config line is a _static_ certificate configuration. Whatever > request arrives at squid will be SSL setup using myCA.pem keys - which > were created by you in advance and are fixed. > > What you are needing is a _dynamic_ certificate configuration. With the > CA certificate, private key= certificate and generate-* SSL options > enabled on this port to allow Squid to create new certificates as needed. > > > Amos >
[squid-users] ssl_crtd does not create or initialize db and Squid crashes
Hi, I am trying to get the new dynamic certificate generation functionality with squid-3.3.1. After compiling and installing, when I try to initialize the certificate db with ssl_crtd it simply does nothing. As a result squid crashes with "FATAL: The ssl_crtd helpers are crashing too rapidly, need help!" root@TonidoPlug2:~# sudo /lib/squid/ssl_crtd -c -s /var/lib/ssl_db root@TonidoPlug2:~# I don't see even the usual output of "Initialization SSL db...". No error too!! The configure options I used are, root@TonidoPlug2:~# /usr/sbin/squid -v Squid Cache: Version 3.3.1 configure options: '--prefix=/usr' '--localstatedir=/var' '--libexecdir=/lib/squid' '--srcdir=.' '--datadir=/share/squid' '--sysconfdir=/etc/squid' '--with-default-user=proxy' '--with-logdir=/var/log' '--with-pidfile=/var/run/squid.pid' '--enable-icap-client' '--enable-ssl' '--enable-ssl-crtd' --enable-ltdl-convenience I did not specify "--enable-ltdl-convenience". It has probably been added automatically. Here is my env details. root@TonidoPlug2:~# cat /etc/debian_version 6.0 root@TonidoPlug2:~# uname -a Linux TonidoPlug2 2.6.31.8-topkick1281p2-001-004-20101214 #1 Thu Jun 16 10:06:20 CST 2011 armv5tel GNU/Linux root@TonidoPlug2:~# file /lib/squid/ssl_crtd /lib/squid/ssl_crtd: ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped Am I missing something here? Has anyone faced a similar problem? Please help. Regards, Prasanna
Re: [squid-users] ssl_crtd does not create or initialize db and Squid crashes
Amos, Thank you so much. That change fixed the issue. Will the change be available in the next stable version, say 3.3.4? Regards, Prasanna On 3/28/13, Amos Jeffries wrote: > On 28/03/2013 6:09 a.m., Prasanna Venkateswaran wrote: >> Hi, >> I am trying to get the new dynamic certificate generation >> functionality with squid-3.3.1. After compiling and installing, when I >> try to initialize the certificate db with ssl_crtd it simply does >> nothing. As a result squid crashes with "FATAL: The ssl_crtd helpers >> are crashing too rapidly, need help!" >> >> root@TonidoPlug2:~# sudo /lib/squid/ssl_crtd -c -s /var/lib/ssl_db >> root@TonidoPlug2:~# >> >> I don't see even the usual output of "Initialization SSL db...". No >> error too!! The configure options I used are, > >> root@TonidoPlug2:~# uname -a >> Linux TonidoPlug2 2.6.31.8-topkick1281p2-001-004-20101214 #1 Thu Jun >> 16 10:06:20 CST 2011 armv5tel GNU/Linux >> >> root@TonidoPlug2:~# file /lib/squid/ssl_crtd >> /lib/squid/ssl_crtd: ELF 32-bit LSB executable, ARM, version 1 (SYSV), >> dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not >> stripped > > ARM plug device? > It is probably a signedness bug we fixed in > http://www.squid-cache.org/Versions/v3/3.HEAD/changesets/squid-3-12739.patch > > Amos >
[squid-users] Need help on SSL bump and certificate chain
Hi, I am using squid 3.3.1 to enable the dynamic certificate generation functionality and it works fine with a self signed certificate. I now have a actual signed certificate and the ssl chain is such that my certificate -> CA1 -> Root CA. I cleared the previous cert db directory and re initilaized it. I then created a cert.chain file in the format mentioned below. -BEGIN CERTIFICATE- -END CERTIFICATE- -BEGIN RSA PRIVATE KEY- < my private key > -END RSA PRIVATE KEY- -BEGIN CERTIFICATE- -END CERTIFICATE- -BEGIN CERTIFICATE- -END CERTIFICATE- squid.conf: https_port 3129 intercept generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/cert.chain ssl-bump But when i start squid , i get the following error. /usr/sbin/squid start sh: (null): not found FATAL: No valid signing SSL certificate configured for https_port 0.0.0.0:3129 Squid Cache (Version 3.3.1): Terminated abnormally. CPU Usage: 0.050 seconds = 0.050 user + 0.000 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 0 I also tried with just my cert and private key without the chain information and I get the same error there also. Am I missing something here? Regards, Prasanna
[squid-users] Re: Need help on SSL bump and certificate chain
Hi, I spent more time on this today by looking at the code. I see from the code that squid does not accept certificates which require passphrase to read the private key. In the function readSslPrivateKey(...), I see this EVP_PKEY *pkey = PEM_read_bio_PrivateKey(bio.get(), NULL, passwd_callback, NULL); The passphrase argument is NULL. The certificate file I was using requires a passphrase to read the keys while the self signed certificate does not require it and hence it was working. Am I right in my understanding? Is this the way squid is designed to work or is this a bug? Regards, Prasanna On 4/9/13, Prasanna Venkateswaran wrote: > Hi, > I am using squid 3.3.1 to enable the dynamic certificate > generation functionality and it works fine with a self signed > certificate. I now have a actual signed certificate and the ssl chain > is such that my certificate -> CA1 -> Root CA. > > I cleared the previous cert db directory and re initilaized it. I > then created a cert.chain file in the format mentioned below. > > -BEGIN CERTIFICATE- > > -END CERTIFICATE- > -BEGIN RSA PRIVATE KEY- > < my private key > > -END RSA PRIVATE KEY- > -BEGIN CERTIFICATE- > > -END CERTIFICATE- > -BEGIN CERTIFICATE- > > -END CERTIFICATE- > > squid.conf: > https_port 3129 intercept generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/cert.chain > ssl-bump > > But when i start squid , i get the following error. > > /usr/sbin/squid start > sh: (null): not found > FATAL: No valid signing SSL certificate configured for https_port > 0.0.0.0:3129 > Squid Cache (Version 3.3.1): Terminated abnormally. > CPU Usage: 0.050 seconds = 0.050 user + 0.000 sys > Maximum Resident Size: 0 KB > Page faults with physical i/o: 0 > > > I also tried with just my cert and private key without the chain > information and I get the same error there also. Am I missing > something here? > > Regards, > Prasanna >
Re: [squid-users] Need help on SSL bump and certificate chain
Hi Guy, We want to be a man-in-the middle but we want to get the approval from clients/end-users out of band by accepting the terms and conditions. The self signed certificates is sort of ok with browsers. But many other applications like dropbox sync, AV dat update, vpn , etc fail because of the untrusted certificate. On top of it we have some headless devices in our network as well. Since we anyway have this information in our terms and conditions we would like to move to a trusted chain so that all the applications work as expected.. Gentlemen, I see some users have already asked help/reported bug about the same thing like, http://www.squid-cache.org/mail-archive/squid-users/201112/0197.html. I also see that changes have been done in squid to support this behavior as well. http://www.squid-cache.org/mail-archive/squid-dev/201110/0207.html I followed the steps from this thread for configuration and I still dont see the chain information sent to the clients. http://www.squid-cache.org/mail-archive/squid-users/201109/0037.html So has the behavior of squid changed in recent times? Or am I missing something in my configuration. How to make squid send the entire certificate chain to clients? Please help. Regards, Prasanna
Re: [squid-users] Need help on SSL bump and certificate chain
Hi, Can someone please help me out here? In a nutshell, I am using a proper signed certificate(not self signed) to generate certificates. The chain is my certificate -> intermediate CA -> root CA. I cannot make squid send the entire certificate chain to the clients and this is breaking many applications in our network. I am using squid 3.3.1. Please help. Regards, Prasanna On 4/11/13, Prasanna Venkateswaran wrote: > Hi Guy, > We want to be a man-in-the middle but we want to get the > approval from clients/end-users out of band by accepting the terms and > conditions. The self signed certificates is sort of ok with browsers. > But many other applications like dropbox sync, AV dat update, vpn , > etc fail because of the untrusted certificate. On top of it we have > some headless devices in our network as well. Since we anyway have > this information in our terms and conditions we would like to move to > a trusted chain so that all the applications work as expected.. > > Gentlemen, > I see some users have already asked help/reported bug about the > same thing like, > http://www.squid-cache.org/mail-archive/squid-users/201112/0197.html. > > I also see that changes have been done in squid to support this > behavior as well. > http://www.squid-cache.org/mail-archive/squid-dev/201110/0207.html > > I followed the steps from this thread for configuration and I > still dont see the chain information sent to the clients. > http://www.squid-cache.org/mail-archive/squid-users/201109/0037.html > > So has the behavior of squid changed in recent times? Or am I > missing something in my configuration. How to make squid send the > entire certificate chain to clients? Please help. > > Regards, > Prasanna >
