I have automated cron job to refresh Mozilla CA's bundle by monthly basis. Intermediate CA's, however, requires non-scheduled maintenance. I've maintain it by demand.
18.04.2017 20:17, Olly Lennox пишет: > Thanks Yuri! The Mozilla Bundle has worked!! Most of the major sites > seem to be working which is all we need. How often do these > certificates refresh? Would they need updating every month or so? > > oli...@lennox-it.uk > lennox-it.uk <http://lennox-it.uk/> > tel: 07900 648 252 > > > ------------------------------------------------------------------------ > *From:* Yuri Voinov <yvoi...@gmail.com> > *To:* Olly Lennox <oli...@lennox-it.uk>; > "squid-users@lists.squid-cache.org" <squid-users@lists.squid-cache.org> > *Sent:* Tuesday, 18 April 2017, 14:43 > *Subject:* Re: [squid-users] HTTPS woes > > You talked about two different things. > 1. root CA usually built-in in clients. For standalone use, root CA > (from Mozilla) usually distributes with openssl distributions. If you > need (or your openssl distribution does not contains root CAs), you > can find separately distributed Mozilla CA's by short googling: > https://www.google.com/search?q=Mozilla+CA+bundle > 2. Intermediate CA's is subordinate for roots CA. It does not exists > by gouverned repository (because of supporting it is work, manual work > and should be do by somebody), moreover, it spreaded across CA > authorities. There is no automated tool to support this > _intermediate_list. The problem also: intermediate CA's usuallu has > much short validity period instead of roots, and should supports all > time at time. > Finally - it you want to use Squid with SSL Bump, you should > understand PKI infrastructure and yes - you should support root CA & > intermediate CAs on proxy by yourself all time. There is no free or > payment basis service which is do it for you. > > 18.04.2017 19:35, Olly Lennox пишет: >> So anyone who wants to use Squid over HTTPS in the way has to build >> this repository themselves by manually downloading all the CA bundles? >> >> >> >> >> ------------------------------------------------------------------------ >> *From:* Yuri <yvoi...@gmail.com> <mailto:yvoi...@gmail.com> >> *To:* Olly Lennox <oli...@lennox-it.uk> <mailto:oli...@lennox-it.uk>; >> "squid-users@lists.squid-cache.org" >> <mailto:squid-users@lists.squid-cache.org> >> <squid-users@lists.squid-cache.org> >> <mailto:squid-users@lists.squid-cache.org> >> *Sent:* Tuesday, 18 April 2017, 14:03 >> *Subject:* Re: [squid-users] HTTPS woes >> >> >> >> 18.04.2017 18:56, Olly Lennox пишет: >>> I'm using >>> >>> sslproxy_foreign_intermediate_certs >>> >>> Is this the same thing? >> No. You firstly required CA roots available for squid. CA roots and >> intermediate is the different things. >>> >>> Also is there anywhere to get a bundle of all the major CA >>> intermdiate certs or do you have to download them all manually? >> No. You should build it by yourself. >> >>> >>> Cheers, >>> >>> oli...@lennox-it.uk <mailto:oli...@lennox-it.uk> >>> lennox-it.uk <http://lennox-it.uk/> >>> tel: 07900 648 252 >>> >>> >>> ------------------------------------------------------------------------ >>> *From:* Yuri <yvoi...@gmail.com> <mailto:yvoi...@gmail.com> >>> *To:* squid-users@lists.squid-cache.org >>> <mailto:squid-users@lists.squid-cache.org> >>> *Sent:* Tuesday, 18 April 2017, 13:51 >>> *Subject:* Re: [squid-users] HTTPS woes >>> >>> Try to specify roots CA bundle/dir explicity by specifying one of this >>> params: >>> >>> >>> # TAG: sslproxy_cafile >>> # file containing CA certificates to use when verifying server >>> # certificates while proxying https:// URLs >>> #Default: >>> # none >>> >>> # TAG: sslproxy_capath >>> # directory containing CA certificates to use when verifying >>> # server certificates while proxying https:// URLs >>> #Default: >>> # none >>> >>> >>> >>> 18.04.2017 18:46, Olly Lennox пишет: >>> > Hi All, >>> > >>> > Still having problems here. This is my https config now: >>> > >>> > >>> > ---------------------------------https_port 3129 intercept >>> ssl-bump generate-host-certificates=on >>> dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squid.crt >>> key=/etc/squid3/ssl_cert/squid.key options=NO_SSLv3 >>> dhparams=/etc/squid3/ssl_cert/dhparam.pem >>> > >>> > acl step1 at_step SslBump1 >>> > ssl_bump peek step1 >>> > ssl_bump bump all >>> > sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE >>> > sslproxy_cipher >>> EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS >>> > >>> > sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB >>> > sslcrtd_children 8 startup=1 idle=1 >>> > >>> > --------------------------------- >>> > >>> > >>> > I'm running version 3.5.23 with openssl 1.0. I've had to disable >>> libecap because I couldn't build 3.5 with ecap enabled. I'm getting >>> the following error when trying to connect with SSL: >>> > >>> > --------------------------------- >>> > >>> > The following error was encountered while trying to retrieve the >>> URL: https://www.google.co.uk/* >>> > >>> > Failed to establish a secure connection to 216.58.198.67 >>> > >>> > The system returned: >>> > >>> > (71) Protocol error (TLS code: >>> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) >>> > SSL Certficate error: certificate issuer (CA) not known: >>> /C=US/O=Equifax/OU=Equifax Secure Certificate Authority >>> > >>> > This proxy and the remote host failed to negotiate a mutually >>> acceptable security settings for handling your request. It is >>> possible that the remote host does not support secure connections, >>> or the proxy is not satisfied with the host security credentials. >>> > >>> > Your cache administrator is webmaster. >>> > >>> > Generated Tue, 18 Apr 2017 12:23:40 GMT by raspberrypi (squid/3.5.23) >>> > --------------------------------- >>> > >>> > The CA is always listed as not known not matter what site I try I >>> always get this error. >>> > >>> > Any ideas? >>> > >>> > Thanks, >>> > >>> > Olly >>> > >>> > ________________________________ >>> > From: Olly Lennox <oli...@lennox-it.uk <mailto:oli...@lennox-it.uk>> >>> > To: Amos Jeffries <squ...@treenet.co.nz >>> <mailto:squ...@treenet.co.nz>>; "squid-users@lists.squid-cache.org >>> <mailto:squid-users@lists.squid-cache.org>" >>> <squid-users@lists.squid-cache.org >>> <mailto:squid-users@lists.squid-cache.org>> >>> > Sent: Sunday, 16 April 2017, 9:31 >>> > Subject: Re: [squid-users] HTTPS woes >>> > >>> > >>> > >>> > Thanks Amos, it's finally built but I had to disabled ecap, for >>> whatever reason this kept failing (with version 1.0.1 installed). It >>> failed on a reference to the Area function I think but I don't have >>> the error message copied. I'm trying now to configure the ssl >>> stare/peek and will let you know how it goes. >>> > >>> > Olly >>> > >>> > oli...@lennox-it.uk <mailto:oli...@lennox-it.uk> >>> > lennox-it.uk >>> > tel: 07900 648 252 >>> > >>> > >>> > >>> > ________________________________ >>> > From: Amos Jeffries <squ...@treenet.co.nz >>> <mailto:squ...@treenet.co.nz>> >>> > To: squid-users@lists.squid-cache.org >>> <mailto:squid-users@lists.squid-cache.org> >>> > Sent: Saturday, 15 April 2017, 23:07 >>> > Subject: Re: [squid-users] HTTPS woes >>> > >>> > >>> > >>> > On 15/04/2017 9:59 a.m., Olly Lennox wrote: >>> >> Hi Guys. >>> >> I'm still struggling with this. I'm trying to build a version of >>> 3.5 but I just can't get it to work. I'm currently attempting to >>> rebuild the stretch package with SSL enabled but build keeps failing >>> with the following: >>> >> ../../src/ssl/gadgets.h:83:45: error: âCRYPTO_LOCK_X509â was not >>> declared in this scope typedef LockingPointer<X509, X509_free_cpp, >>> CRYPTO_LOCK_X509> X509_Pointer; >>> ^~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:83:61: error: template >>> argument 3 is invalid typedef LockingPointer<X509, X509_free_cpp, >>> CRYPTO_LOCK_X509> X509_Pointer; >>> ^../../src/ssl/gadgets.h:89:53: error: >>> âCRYPTO_LOCK_EVP_PKEYâ was not declared in this scope typedef >>> LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, CRYPTO_LOCK_EVP_PKEY> >>> EVP_PKEY_Pointer; >>> ^~~~~~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:89:73: error: template >>> argument 3 is invalid typedef LockingPointer<EVP_PKEY, >>> EVP_PKEY_free_cpp, CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer; >>> >>> ^../../src/ssl/gadgets.h:116:43: error: âCRYPTO_LOCK_SSLâ was not >>> declared in this scope typedef LockingPointer<SSL, SSL_free_cpp, >>> CRYPTO_LOCK_SSL> SSL_Pointer; >>> ^~~~~~~~~~~~~~~../../src/ssl/gadgets.h:116:58: error: template >>> argument 3 is invalid typedef LockingPointer<SSL, SSL_free_cpp, >>> CRYPTO_LOCK_SSL> SSL_Pointer; >>> ^ >>> >> Any ideas? >>> > >>> > >>> > On Jesse/stable: >>> > >>> > apt-get build-dep squid3 >>> > apt-get install libss-dev >>> > >>> > >>> > On stretch/testing/unstable: >>> > >>> > apt-get build-dep squid >>> > apt-get install libss1.0-dev >>> > >>> > >>> > That should do it for you. >>> > >>> > Amos >>> > >>> > >>> > _______________________________________________ >>> > squid-users mailing list >>> > squid-users@lists.squid-cache.org >>> <mailto:squid-users@lists.squid-cache.org> >>> > http://lists.squid-cache.org/listinfo/squid-users >>> > >>> > >>> > >>> > _______________________________________________ >>> > squid-users mailing list >>> > squid-users@lists.squid-cache.org >>> <mailto:squid-users@lists.squid-cache.org> >>> > http://lists.squid-cache.org/listinfo/squid-users >>> >>> > _______________________________________________ >>> > squid-users mailing list >>> > squid-users@lists.squid-cache.org >>> <mailto:squid-users@lists.squid-cache.org> >>> > http://lists.squid-cache.org/listinfo/squid-users >>> >>> >>> _______________________________________________ >>> squid-users mailing list >>> squid-users@lists.squid-cache.org >>> <mailto:squid-users@lists.squid-cache.org> >>> http://lists.squid-cache.org/listinfo/squid-users >>> >>> >> >> >> > > -- > Bugs to the Future > > -- Bugs to the Future
0x613DEC46.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
