Hi, in my squid setup the sslcrtvalidator_program doesn’t send the data´s that I expect to the helper :-) . The helper receive the data´s as described in the wiki , expect the "form" of the domain, here I would expect a FQDN or domain like google.de or ca.google.de but the helper receive a IP.
I create the helper (in my case main.sh) that send all Data´s from stdin to a file ( I wanted to see what the "live" helper would receive). Below you could see my squid build options and squid.conf ( @ Amos I didn’t implement your tips regarding the acl yet) On the same machine where squid runs , run an dns server , so I tried with dig to resolve google.de and it resolved without issues. Also I tried to let squid use another dnsserver without success. If I should attach the cache.log please say with which debug_options. <main.sh> #!/bin/sh cat >> /tmpfs/debug.log </main.sh> < debug.log> 0 cert_validate 5564 host=173.194.116.184 proto_version=TLSv1.2 cipher=ECDHE-RSA-CHACHA20-POLY1305 cert_0=-----BEGIN CERTIFICATE----- snipped -----END CERTIFICATE----- cert_1=-----BEGIN CERTIFICATE----- snipped -----END CERTIFICATE----- cert_2=-----BEGIN CERTIFICATE----- snipped -----END CERTIFICATE----- cert_3=-----BEGIN CERTIFICATE----- snipped -----END CERTIFICATE----- </debug.log> <squid options> configure options: '--with-default-user=squid' '--bindir=/usr/pbi/squid-amd64/sbin' '--sbindir=/usr/pbi/squid-amd64/sbin' '--datadir=/usr/pbi/squid-amd64/etc/squid' '--libexecdir=/usr/pbi/squid-amd64/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/pbi/squid-amd64/etc/squid' '--with-logdir=/var/squid/logs' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache' '--without-gnutls' '--enable-auth' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--disable-arch-native' '--enable-eui' '--enable-cache-digests' '--enable-delay-pools' '--enable-ecap' '--enable-esi' '--enable-follow-x-forwarded-for' '--enable-htcp' '--enable-icap-client' '--enable-icmp' '--disable-ident-lookups' '--enable-ipv6' '--disable-kqueue' '--with-large-files' '--enable-http-violations' '--without-nettle' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--disable-stacktraces' '--disable-ipf-transparent' '--disable-ipfw-transparent' '--enable-pf-transparent' '--with-nat-devpf' '--disable-forw-via-db' '--enable-wccp' '--enable-wccpv2' '--with-mit-krb5=/usr/local' 'CFLAGS=-I/usr/local/include -pipe -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include/libxml2 -I/usr/local/include -g -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing' 'LDFLAGS=-L/usr/local/lib -Wl,-rpath,/usr/local/lib:/usr/local/lib -L/usr/local/lib -L/usr/local/lib -L/usr/local/lib -L/usr/local/lib -pthread -L/usr/local/lib -fstack-protector' 'LIBS=-lkrb5 -lgssapi_krb5 ' 'KRB5CONFIG=/usr/local/bin/krb5-config' '--enable-auth-basic=DB SMB_LM MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam LDAP SASL SMB NIS' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip time_quota unix_group LDAP_group wbinfo_group SQL_session kerberos_ldap_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=ufs aufs diskd rock' '--enable-disk-io=AIO Blocking IpcIo Mmapped DiskThreads DiskDaemon' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-storeid-rewrite-helpers=file' '--with-openssl=/usr/local' '--disable-optimizations' '--enable-debug-cbdata' '--prefix=/usr/pbi/squid-amd64' '--mandir=/usr/pbi/squid-amd64/man' '--infodir=/usr/pbi/squid-amd64/info/' '--build=amd64-portbld-freebsd10.1' 'build_alias=amd64-portbld-freebsd10.1' 'CC=cc' 'CPPFLAGS=-I/usr/local/include' 'CXX=c++' 'CXXFLAGS=-pipe -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include/libxml2 -I/usr/local/include -g -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing ' 'CPP=cpp' 'PKG_CONFIG=pkgconf' </squid options> <squid.conf> # This file is automatically generated by pfSense # Do not edit manually ! http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/ http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/ https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/ icp_port 0 pid_filename /var/run/squid/squid.pid cache_effective_user proxy cache_effective_group proxy error_default_language de-de icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons visible_hostname pfsense.onesty-tech.loc cache_mgr ad...@pfsense-onesty.loc access_log /var/squid/logs/access.log cache_log /var/squid/logs/cache.log netdb_filename /var/squid/logs/netdb.state pinger_enable on sslcrtd_program /usr/pbi/squid-amd64/local/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048 sslcrtd_children 5 sslproxy_capath /usr/pbi/squid-amd64/local/share/certs/ logfile_rotate 7 debug_options rotate=7 shutdown_lifetime 3 seconds # Allow local network(s) on interface(s) acl localnet src 192.168.1.0/24 uri_whitespace strip # Setup some default acls # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. # acl localhost src 127.0.0.1/32 acl allsrc src all acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3127 1025-65535 acl sslports port 443 563 # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. #acl manager proto cache_object acl purge method PURGE acl connect method CONNECT # Define protocols used for redirects acl HTTP proto HTTP acl HTTPS proto HTTPS acl allowed_subnets src 192.168.1.0/24 http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections # From 3.2 further configuration cleanups have been done to make things easier and safer. # The manager, localhost, and to_localhost ACL definitions are now built-in. # http_access allow localhost # Package Integration url_rewrite_program /usr/pbi/squidguard-amd64/bin/squidGuard -c /usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard.conf url_rewrite_bypass off url_rewrite_children 16 startup=8 idle=4 concurrency=0 # Custom options before auth acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 ssl_bump peek step1 ssl_bump bump all sslcrtvalidator_program cache=8192 ttl=240 /tmpfs/main.sh #sslcrtvalidator_children 12 startup=5 idle=1 concurrency=1 # Setup allowed acls # Allow local network(s) on interface(s) http_access allow allowed_subnets http_access allow localnet # Default block all to be sure http_access deny allsrc icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_encode off icap_client_username_header X-Authenticated-User icap_preview_enable on icap_preview_size 1024 icap_service service_avi_req reqmod_precache icap://[::1]:1344/squid_clamav bypass=off adaptation_access service_avi_req allow all icap_service service_avi_resp respmod_precache icap://[::1]:1344/squid_clamav bypass=on adaptation_access service_avi_resp allow all </squid.conf> Mit freundlichen Grüßen / Best Regards Sebastian Kirschner _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
