On 2021-05-10 22:26, Stephane Simon wrote:
Hello,
I try to configure https with ssl bump.
I use redhat 8.
i follow https://blog.microlinux.fr/squid-https-centos-7/
when i restart squid, he doesn't cooperate and say:
"FATAL: The usr/lib64/squid/security_file_certgen -s
/var/lib/squid/ssl_db -M 64MB helpers are crashing too rapidly, need
help!"
i don't know how to fix this error..i dont know why i've this error ^^
Does someone have an idea please ?
The helper crashing is required by Squid to generate certificates for
bumping.
Without it working perfectly Squid cannot handle any HTTPS traffic.
http_port 3130
http_port 3128 intercept
https_port 3129 intercept ssl-bump \
cert=/etc/squid/ssl_cert/certificat.pem \
generate-host-certificates=on \
dynamic_cert_mem_cache_size=64MB
#SSL certificate generation
sslcrtd_program usr/lib64/squid/security_file_certgen -s
The path should begin with '/usr/' not just 'usr/
/var/lib/squid/ssl_db -M 64MB
Check that this /var path actually exists. That the low-privilege
account the proxy uses has both read and write access to it.
Run the helper command to initialize the database before starting Squid.
Do so using the low-privilege account Squid uses to ensure the database
files have correct ownership.
sslcrtd_children 32 startup=5 idle=1
# SSL-Bump
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
Please be aware that this configuration is trying to forge server
certificates without having any details about the real server
certificate. When you are past the helper problem it is likely that this
basic configuration will cause a number of TLS problems.
For bumping as much as possible this is a better config:
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump stare all
ssl_bump bump all
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
