Re: [squid-users] HTTPS woes

Olly Lennox Tue, 18 Apr 2017 08:10:29 -0700

Would you mind sharing the script you use? oli...@lennox-it.uk
lennox-it.uk
tel: 07900 648 252


      From: Yuri Voinov <yvoi...@gmail.com>
 To: Olly Lennox <oli...@lennox-it.uk>; "squid-users@lists.squid-cache.org" 
<squid-users@lists.squid-cache.org> 
 Sent: Tuesday, 18 April 2017, 16:00
 Subject: Re: [squid-users] HTTPS woes
   
 I have automated cron job to refresh Mozilla CA's bundle by monthly basis. 
Intermediate CA's, however, requires non-scheduled maintenance. I've maintain 
it by demand.
  
 18.04.2017 20:17, Olly Lennox пишет:
  
  Thanks Yuri! The Mozilla Bundle has worked!! Most of the major sites seem to 
be working which is all we need. How often do these certificates refresh? Would 
they need updating every month or so?   oli...@lennox-it.uk
 lennox-it.uk
 tel: 07900 648 252 
 
        From: Yuri Voinov <yvoi...@gmail.com>
 To: Olly Lennox <oli...@lennox-it.uk>; "squid-users@lists.squid-cache.org" 
<squid-users@lists.squid-cache.org> 
 Sent: Tuesday, 18 April 2017, 14:43
 Subject: Re: [squid-users] HTTPS woes
  
   You talked about two different things. 1. root CA usually built-in in 
clients. For standalone use, root CA (from Mozilla) usually distributes with 
openssl distributions. If you need (or your openssl distribution does not 
contains root CAs), you can find separately distributed Mozilla CA's by short 
googling: 
  https://www.google.com/search?q=Mozilla+CA+bundle 2. Intermediate CA's is 
subordinate for roots CA. It does not exists by gouverned repository (because 
of supporting it is work, manual work and should be do by somebody), moreover, 
it spreaded across CA authorities. There is no automated tool to  support this 
_intermediate_list. The problem also: intermediate CA's usuallu has much short 
validity period instead of roots, and should supports all time at time. Finally 
- it you want to use Squid with SSL Bump, you should understand PKI 
infrastructure and yes - you should support root CA & intermediate CAs on proxy 
by yourself all time. There is no free or payment basis service which is do it 
for you.
  
 18.04.2017 19:35, Olly Lennox пишет:
   
  So anyone who wants to use Squid over HTTPS in the way has to build this 
repository themselves by  manually downloading all the CA bundles?   
  
 
         From: Yuri <yvoi...@gmail.com>
 To: Olly Lennox <oli...@lennox-it.uk>; "squid-users@lists.squid-cache.org" 
<squid-users@lists.squid-cache.org> 
 Sent: Tuesday, 18 April 2017, 14:03
 Subject: Re: [squid-users] HTTPS woes
  
   
  
 18.04.2017 18:56, Olly Lennox пишет:
  
  I'm using  
  sslproxy_foreign_intermediate_certs 
  Is this the same thing? 
   
 No. You firstly required CA roots available for squid. CA roots and  
intermediate is the different things.
 
  
  Also is there anywhere to get a bundle of all the major CA  intermdiate certs 
or do you have to download them all manually?  
 No. You should build it by yourself. 
 
  
  Cheers,   oli...@lennox-it.uk
 lennox-it.uk
 tel: 07900 648 252 
 
         From: Yuri <yvoi...@gmail.com>
 To: squid-users@lists.squid-cache.org 
 Sent: Tuesday, 18 April 2017, 13:51
 Subject: Re: [squid-users] HTTPS woes
  
 Try to specify roots CA bundle/dir  explicity by specifying one of this 
 params:
 
 
 #  TAG: sslproxy_cafile
 #    file containing CA certificates to  use when verifying server
 #    certificates while proxying https:// URLs
 #Default:
 # none
 
 #  TAG: sslproxy_capath
 #    directory containing CA certificates to  use when verifying
 #    server certificates while proxying https:// URLs
 #Default:
 # none
 
 
 
 18.04.2017 18:46, Olly Lennox пишет:
 > Hi All,
 >
 > Still having problems here. This is my https  config now:
 >
 >
 > ---------------------------------https_port 3129 intercept  ssl-bump 
 > generate-host-certificates=ondynamic_cert_mem_cache_size=4MB 
 > cert=/etc/squid3/ssl_cert/squid.crt key=/etc/squid3/ssl_cert/squid.key 
 > options=NO_SSLv3 dhparams=/etc/squid3/ssl_cert/dhparam.pem
 >
 > acl step1 at_step SslBump1
 > ssl_bump peek step1
 > ssl_bump bump all
 > sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
 > sslproxy_cipherEECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
 >
 > sslcrtd_program /usr/lib/squid3/ssl_crtd  -s /var/lib/ssl_db -M 4MB
 > sslcrtd_children 8 startup=1 idle=1
 >
 > ---------------------------------
 >
 >
 > I'm running version 3.5.23 with openssl 1.0.  I've had to disable libecap 
 > because I couldn't build 3.5 with ecap enabled. I'm  getting the following 
 > error when trying to  connect with SSL:
 >
 > ---------------------------------
 >
 > The following error was encountered while  trying to retrieve the URL: 
 > https://www.google.co.uk/*
 >
 > Failed to establish a secure connection to  216.58.198.67
 >
 > The system returned:
 >
 > (71) Protocol error (TLS code:X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
 > SSL Certficate error: certificate issuer  (CA) not known: 
 > /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
 >
 > This proxy and the remote host failed to  negotiate a mutually acceptable  
 > security settings for handling your  request. It is possible that the remote 
 > host does  not support secure connections, or the proxy is not satisfied 
 > with the host security  credentials.
 >
 > Your cache administrator is webmaster.
 >
 > Generated Tue, 18 Apr 2017 12:23:40 GMT by  raspberrypi (squid/3.5.23)
 > ---------------------------------
 >
 > The CA is always listed as not known not  matter what site I try I always 
 > get this error.
 >
 > Any ideas?
 >
 > Thanks,
 >
 > Olly
 >
 > ________________________________
 > From: Olly Lennox <oli...@lennox-it.uk>
 > To: Amos Jeffries <squ...@treenet.co.nz>; 
 > "squid-users@lists.squid-cache.org" <squid-users@lists.squid-cache.org>
 > Sent: Sunday, 16 April 2017, 9:31
 > Subject: Re: [squid-users] HTTPS woes
 >
 >
 >
 > Thanks Amos, it's finally built but I had to  disabled ecap, for whatever 
 > reason this kept failing (with version 1.0.1 installed).  It failed on a 
 > reference to the Area function I think but I don't have the error  message 
 > copied. I'm trying now to configure the ssl  stare/peek and will let you 
 > know  how it goes.
 >
 > Olly
 >  
 > oli...@lennox-it.uk
 > lennox-it.uk
 > tel: 07900 648 252
 >
 >
 >
 > ________________________________
 > From: Amos Jeffries <squ...@treenet.co.nz>
 > To: squid-users@lists.squid-cache.org
 > Sent: Saturday, 15 April 2017, 23:07
 > Subject: Re: [squid-users] HTTPS woes
 >
 >
 >
 > On 15/04/2017 9:59 a.m., Olly Lennox wrote:
 >> Hi Guys.
 >> I'm still struggling with this. I'm trying  to build a version of 3.5 but I 
 >> just can't get it to work. I'm currently  attempting to rebuild the stretch 
 >> package  with SSL enabled but build keeps failing with the following:
 >> ../../src/ssl/gadgets.h:83:45: error:  âCRYPTO_LOCK_X509â was not declared 
 >> in this scope typedef LockingPointer<X509, X509_free_cpp, CRYPTO_LOCK_X509> 
 >> X509_Pointer;                                            
 >> ^~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:83:61: error: template  argument 3 
 >> is invalid typedef  LockingPointer<X509, X509_free_cpp, CRYPTO_LOCK_X509> 
 >> X509_Pointer;                                                           
 >> ^../../src/ssl/gadgets.h:89:53: error: âCRYPTO_LOCK_EVP_PKEYâ was not 
 >> declared in this  scope typedef LockingPointer<EVP_PKEY, 
 >> EVP_PKEY_free_cpp,CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;                   
 >>                                  
 >> ^~~~~~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:89:73: error: template  
 >> argument 3 is invalid typedef  LockingPointer<EVP_PKEY, 
 >> EVP_PKEY_free_cpp,CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;                   
 >>                                                      
 >> ^../../src/ssl/gadgets.h:116:43: error:  âCRYPTO_LOCK_SSLâ was not declared 
 >> in this scope typedef LockingPointer<SSL, SSL_free_cpp, CRYPTO_LOCK_SSL> 
 >> SSL_Pointer;                                         
 >> ^~~~~~~~~~~~~~~../../src/ssl/gadgets.h:116:58: error: template argument 3 
 >> is invalid  typedef LockingPointer<SSL, SSL_free_cpp, CRYPTO_LOCK_SSL> 
 >> SSL_Pointer;                                                          ^
 >> Any ideas?
 >
 >
 > On Jesse/stable:
 >
 > apt-get build-dep squid3
 > apt-get install libss-dev
 >
 >
 > On stretch/testing/unstable:
 >
 > apt-get build-dep squid
 > apt-get install libss1.0-dev
 >
 >
 > That should do it for you.
 >
 > Amos
 >
 >
 > _______________________________________________
 > squid-users mailing list
 > squid-users@lists.squid-cache.org
 > http://lists.squid-cache.org/listinfo/squid-users
 >
 >
 >
 > _______________________________________________
 > squid-users mailing list
 > squid-users@lists.squid-cache.org
 > http://lists.squid-cache.org/listinfo/squid-users 
 > _______________________________________________
 > squid-users mailing list
 > squid-users@lists.squid-cache.org
 > http://lists.squid-cache.org/listinfo/squid-users
 
 
_______________________________________________
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users
   
 
      
 
    
 
      
  
 -- 
 Bugs to the Future   
 
      
 
 -- 
 Bugs to the Future

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] HTTPS woes

Reply via email to