On 29/03/21 6:16 am, Eliezer Croitoru wrote:
Hey Robert,
I am not sure I understood what is the meaning of the description:
openbsd: Requiring client certificates.
linux: Not requiring any client certificates
@Eliezer:
They are startup messages Squid prints in cache.log when a TLS server
context is initialized.
-----Original Message-----
From: Robert Smith
Sent: Sunday, March 28, 2021 7:27 PM
Dear Squid-Dev list:
I could use some help on this one:
I have a build environment that is identical on linux, openbsd, and macosx
In this scenario, I am developing under:
Ubuntu 18.04 - All patches and updates applied as of 3/24
OpenBSD 6.8 - All patches and updates applied as of 3/24
I will note that I am really only using the libc from each system whereas every
other component dependencies (which are not many! Good job squid team!) are a
part of my build system.
When building squid with the exact same tool chain and library stack, with the
same configure options, I am seeing a difference in behavior on the two
platforms:
The difference is that after parsing the configuration file, the two systems
differ in whether or not they will require client certificates:
openbsd: Requiring client certificates.
linux: Not requiring any client certificates
What the message means depends on whether the http(s)_port, a
cache_peer, or the outgoing https:// context is being initialized.
Options that directive was supposed to be using (including the default
security).
Looking at your logs I see:
On OpenBSD Squid detects the presence of an IPv6 split-stack for
networking. Which means Squid has to clone the internal representation
of all your squid.conf *_port settings and setup separate contexts and
state for IPv4 versions of them.
There seems to be a bug in that cloning process which is turning on
the TLS client certificates feature. Please report this to our bugzilla
so it does not get forgotten until fixed.
On Linux Squid is detecting IPv6 disabled in the kernel networking
setup. So it is disabling its own IPv6 support. That said Linux has a
hybrid-stack networking so the cloning would not happen anyway. If IPv6
were enabled here it would be somewhat more obvious that the IPv4 ports
on OpenBSD are the odd ones.
For a workaround you may be able to set sslflags=DELAYED_AUTH on the
http*_port lines and leave your ACLs as they are without anything
requiring a client certificate.
# openbsd
root@openbsd:~# /root/squid.init conftest
2021/03/28 10:47:31| Processing: http_port 3128 ssl-bump
cert=/opt/osec/etc/ssl_cert/squid-ca-cert+key.pem generate-host-certificates=on
dynamic_cert_mem_cache_size=16MB
2021/03/28 10:47:31| Processing: https_port 3129 intercept ssl-bump
cert=/opt/osec/etc/ssl_cert/squid-ca-cert+key.pem generate-host-certificates=on
dynamic_cert_mem_cache_size=16MB
2021/03/28 10:47:31| Processing: tls_outgoing_options
cafile=/opt/osec/etc/pki/tls/certs/ca-bundle.crt
2021/03/28 10:47:31| Initializing https:// proxy context
2021/03/28 10:47:31| Requiring client certificates.
2021/03/28 10:47:31| Initializing http_port [::]:3128 TLS contexts
2021/03/28 10:47:31| Using certificate in
/opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
2021/03/28 10:47:31| Using certificate chain in
/opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
2021/03/28 10:47:31| Adding issuer CA: /C=US/ST=Kansas/L=Overland
Park/O=Company, Inc./OU=Area
77/CN=local.corp.dom/emailAddress=sslad...@company.com
2021/03/28 10:47:31| Using key in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
2021/03/28 10:47:31| Not requiring any client certificates
2021/03/28 10:47:31| Initializing http_port 0.0.0.0:3128 TLS contexts
2021/03/28 10:47:31| Using certificate in
/opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
2021/03/28 10:47:31| Using certificate chain in
/opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
2021/03/28 10:47:31| Adding issuer CA: /C=US/ST=Kansas/L=Overland
Park/O=Company, Inc./OU=Area
77/CN=local.corp.dom/emailAddress=sslad...@company.com
2021/03/28 10:47:31| Using key in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
2021/03/28 10:47:31| Requiring client certificates.
2021/03/28 10:47:31| Initializing https_port [::]:3129 TLS contexts
2021/03/28 10:47:31| Using certificate in
/opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
2021/03/28 10:47:31| Using certificate chain in
/opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
2021/03/28 10:47:31| Adding issuer CA: /C=US/ST=Kansas/L=Overland
Park/O=Company, Inc./OU=Area
77/CN=local.corp.dom/emailAddress=sslad...@company.com
2021/03/28 10:47:31| Using key in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
2021/03/28 10:47:31| Not requiring any client certificates
2021/03/28 10:47:31| Initializing https_port 0.0.0.0:3129 TLS contexts
2021/03/28 10:47:31| Using certificate in
/opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
2021/03/28 10:47:31| Using certificate chain in
/opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
2021/03/28 10:47:31| Adding issuer CA: /C=US/ST=Kansas/L=Overland
Park/O=Company, Inc./OU=Area
77/CN=local.corp.dom/emailAddress=sslad...@company.com
2021/03/28 10:47:31| Using key in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
2021/03/28 10:47:31| Requiring client certificates.
# linux
root@linux:~# /root/squid.init conftest
2021/03/28 10:48:21| WARNING: BCP 177 violation. Detected non-functional IPv6
loopback.
2021/03/28 10:48:21| aclIpParseIpData: IPv6 has not been enabled.
2021/03/28 10:48:21| aclIpParseIpData: IPv6 has not been enabled.
2021/03/28 10:48:21| Initializing https:// proxy context
2021/03/28 10:48:21| Requiring client certificates.
2021/03/28 10:48:21| Initializing http_port 0.0.0.0:3128 TLS contexts
2021/03/28 10:48:21| Using certificate in
/opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
2021/03/28 10:48:21| Using certificate chain in
/opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
2021/03/28 10:48:21| Adding issuer CA: /C=US/ST=Kansas/L=Overland
Park/O=Company, Inc./OU=Area
77/CN=local.corp.dom/emailAddress=sslad...@company.com
2021/03/28 10:48:21| Using key in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
2021/03/28 10:48:21| Not requiring any client certificates
2021/03/28 10:48:21| Initializing https_port 0.0.0.0:3129 TLS contexts
2021/03/28 10:48:21| Using certificate in
/opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
2021/03/28 10:48:21| Using certificate chain in
/opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
2021/03/28 10:48:21| Adding issuer CA: /C=US/ST=Kansas/L=Overland
Park/O=Company, Inc./OU=Area
77/CN=local.corp.dom/emailAddress=sslad...@company.com
2021/03/28 10:48:21| Using key in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem
2021/03/28 10:48:21| Not requiring any client certificates
Amos
_______________________________________________
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev