I apologize for the ultra-long delay on this. I did just test this tonight and it worked properly under OpenBSD.
What would be the process for submitting a bug report? -Robert > On Mar 29, 2021, at 4:33 AM, Amos Jeffries <squ...@treenet.co.nz> wrote: > > On 29/03/21 6:16 am, Eliezer Croitoru wrote: >> Hey Robert, >> I am not sure I understood what is the meaning of the description: >> openbsd: Requiring client certificates. >> linux: Not requiring any client certificates > > @Eliezer: > They are startup messages Squid prints in cache.log when a TLS server > context is initialized. > > > >> -----Original Message----- >> From: Robert Smith >> Sent: Sunday, March 28, 2021 7:27 PM >> Dear Squid-Dev list: >> I could use some help on this one: >> I have a build environment that is identical on linux, openbsd, and macosx >> In this scenario, I am developing under: >> Ubuntu 18.04 - All patches and updates applied as of 3/24 >> OpenBSD 6.8 - All patches and updates applied as of 3/24 >> I will note that I am really only using the libc from each system whereas >> every other component dependencies (which are not many! Good job squid >> team!) are a part of my build system. >> When building squid with the exact same tool chain and library stack, with >> the same configure options, I am seeing a difference in behavior on the two >> platforms: >> The difference is that after parsing the configuration file, the two systems >> differ in whether or not they will require client certificates: >> openbsd: Requiring client certificates. >> linux: Not requiring any client certificates >> > > What the message means depends on whether the http(s)_port, a cache_peer, or > the outgoing https:// context is being initialized. Options that directive > was supposed to be using (including the default security). > > Looking at your logs I see: > > > On OpenBSD Squid detects the presence of an IPv6 split-stack for networking. > Which means Squid has to clone the internal representation of all your > squid.conf *_port settings and setup separate contexts and state for IPv4 > versions of them. > There seems to be a bug in that cloning process which is turning on the TLS > client certificates feature. Please report this to our bugzilla so it does > not get forgotten until fixed. > > > On Linux Squid is detecting IPv6 disabled in the kernel networking setup. So > it is disabling its own IPv6 support. That said Linux has a hybrid-stack > networking so the cloning would not happen anyway. If IPv6 were enabled here > it would be somewhat more obvious that the IPv4 ports on OpenBSD are the odd > ones. > > > For a workaround you may be able to set sslflags=DELAYED_AUTH on the > http*_port lines and leave your ACLs as they are without anything requiring a > client certificate. > > > >> # openbsd >> root@openbsd:~# /root/squid.init conftest > >> 2021/03/28 10:47:31| Processing: http_port 3128 ssl-bump >> cert=/opt/osec/etc/ssl_cert/squid-ca-cert+key.pem >> generate-host-certificates=on dynamic_cert_mem_cache_size=16MB >> 2021/03/28 10:47:31| Processing: https_port 3129 intercept ssl-bump >> cert=/opt/osec/etc/ssl_cert/squid-ca-cert+key.pem >> generate-host-certificates=on dynamic_cert_mem_cache_size=16MB > >> 2021/03/28 10:47:31| Processing: tls_outgoing_options >> cafile=/opt/osec/etc/pki/tls/certs/ca-bundle.crt > > >> 2021/03/28 10:47:31| Initializing https:// proxy context >> 2021/03/28 10:47:31| Requiring client certificates. > > >> 2021/03/28 10:47:31| Initializing http_port [::]:3128 TLS contexts >> 2021/03/28 10:47:31| Using certificate in >> /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem >> 2021/03/28 10:47:31| Using certificate chain in >> /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem >> 2021/03/28 10:47:31| Adding issuer CA: /C=US/ST=Kansas/L=Overland >> Park/O=Company, Inc./OU=Area >> 77/CN=local.corp.dom/emailAddress=sslad...@company.com >> 2021/03/28 10:47:31| Using key in >> /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem >> 2021/03/28 10:47:31| Not requiring any client certificates > > >> 2021/03/28 10:47:31| Initializing http_port 0.0.0.0:3128 TLS contexts >> 2021/03/28 10:47:31| Using certificate in >> /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem >> 2021/03/28 10:47:31| Using certificate chain in >> /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem >> 2021/03/28 10:47:31| Adding issuer CA: /C=US/ST=Kansas/L=Overland >> Park/O=Company, Inc./OU=Area >> 77/CN=local.corp.dom/emailAddress=sslad...@company.com >> 2021/03/28 10:47:31| Using key in >> /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem >> 2021/03/28 10:47:31| Requiring client certificates. > > >> 2021/03/28 10:47:31| Initializing https_port [::]:3129 TLS contexts >> 2021/03/28 10:47:31| Using certificate in >> /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem >> 2021/03/28 10:47:31| Using certificate chain in >> /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem >> 2021/03/28 10:47:31| Adding issuer CA: /C=US/ST=Kansas/L=Overland >> Park/O=Company, Inc./OU=Area >> 77/CN=local.corp.dom/emailAddress=sslad...@company.com >> 2021/03/28 10:47:31| Using key in >> /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem >> 2021/03/28 10:47:31| Not requiring any client certificates > > >> 2021/03/28 10:47:31| Initializing https_port 0.0.0.0:3129 TLS contexts >> 2021/03/28 10:47:31| Using certificate in >> /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem >> 2021/03/28 10:47:31| Using certificate chain in >> /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem >> 2021/03/28 10:47:31| Adding issuer CA: /C=US/ST=Kansas/L=Overland >> Park/O=Company, Inc./OU=Area >> 77/CN=local.corp.dom/emailAddress=sslad...@company.com >> 2021/03/28 10:47:31| Using key in >> /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem >> 2021/03/28 10:47:31| Requiring client certificates. >> # linux >> root@linux:~# /root/squid.init conftest > >> 2021/03/28 10:48:21| WARNING: BCP 177 violation. Detected non-functional >> IPv6 loopback. >> 2021/03/28 10:48:21| aclIpParseIpData: IPv6 has not been enabled. >> 2021/03/28 10:48:21| aclIpParseIpData: IPv6 has not been enabled. >> 2021/03/28 10:48:21| Initializing https:// proxy context >> 2021/03/28 10:48:21| Requiring client certificates. > >> 2021/03/28 10:48:21| Initializing http_port 0.0.0.0:3128 TLS contexts >> 2021/03/28 10:48:21| Using certificate in >> /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem >> 2021/03/28 10:48:21| Using certificate chain in >> /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem >> 2021/03/28 10:48:21| Adding issuer CA: /C=US/ST=Kansas/L=Overland >> Park/O=Company, Inc./OU=Area >> 77/CN=local.corp.dom/emailAddress=sslad...@company.com >> 2021/03/28 10:48:21| Using key in >> /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem >> 2021/03/28 10:48:21| Not requiring any client certificates > >> 2021/03/28 10:48:21| Initializing https_port 0.0.0.0:3129 TLS contexts >> 2021/03/28 10:48:21| Using certificate in >> /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem >> 2021/03/28 10:48:21| Using certificate chain in >> /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem >> 2021/03/28 10:48:21| Adding issuer CA: /C=US/ST=Kansas/L=Overland >> Park/O=Company, Inc./OU=Area >> 77/CN=local.corp.dom/emailAddress=sslad...@company.com >> 2021/03/28 10:48:21| Using key in >> /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem >> 2021/03/28 10:48:21| Not requiring any client certificates > > > > Amos > > _______________________________________________ > squid-dev mailing list > squid-dev@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-dev >
_______________________________________________ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
