Hardly, most probably something in repo's package. However, upgrade is always recommended, especially with modern functionality. It changes fast enough.
12.09.2017 2:15, Rohit Sodhia пишет: > Ah. I'm on 3.5.20; not sure how far back that is. Is that the core of > the problem? > > On Mon, Sep 11, 2017 at 4:07 PM, Yuri <yvoi...@gmail.com > <mailto:yvoi...@gmail.com>> wrote: > > Seems latest 4.0.21 is good enough. Most critical SSL-related bugs > almost closed or closed. > > At least latest 3.5.27 is released. AFAIK this is minimum to > problem-free running. > > Repositories software sometimes has strange quirks, or sometimes > rancid. > > 12.09.2017 2:05, Rohit Sodhia пишет: > >> I'll try to find it, but I read a few articles/SO questions that >> suggested there were bugs in 4 relating to SSL bumping? If they >> were wrong, I'd be glad to go forward. Should I be removing the >> yum squid package and compile my own? Is 3.5 problematic besides >> being old? >> >> On Mon, Sep 11, 2017 at 4:02 PM, Yuri <yvoi...@gmail.com >> <mailto:yvoi...@gmail.com>> wrote: >> >> Wait. Squid 3.5.20? So ancient? >> >> >> 12.09.2017 1:58, Rohit Sodhia пишет: >>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db >>> -M 4MB >>> >>> I used the line from the Stack Overflow question I linked >>> earlier. >>> >>> On Mon, Sep 11, 2017 at 3:41 PM, Yuri <yvoi...@gmail.com >>> <mailto:yvoi...@gmail.com>> wrote: >>> >>> Well. Let's check more deep. >>> >>> Show me parameter sslcrtd_program in your squid.conf >>> >>> >>> 12.09.2017 1:23, Rohit Sodhia пишет: >>>> Unfortunately, no luck yet. Thank you again for your >>>> help before. >>>> >>>> I found that the user squid and group squid existed >>>> already, so I added >>>> >>>> cache_effective_user squid >>>> cache_effective_group squid >>>> >>>> to my config (first two lines), made sure >>>> /var/lib/ssl_db and it's contents were set to >>>> squid:squid and restarted the service, but I'm still >>>> getting the same error :( >>>> >>>> On Mon, Sep 11, 2017 at 2:42 PM, Rohit Sodhia >>>> <sodhia.ro...@gmail.com >>>> <mailto:sodhia.ro...@gmail.com>> wrote: >>>> >>>> I'll try that immediately, thanks! I appreciate all >>>> your advice; hopefully I won't have to reach out >>>> again :p >>>> >>>> On Mon, Sep 11, 2017 at 2:39 PM, Yuri >>>> <yvoi...@gmail.com <mailto:yvoi...@gmail.com>> wrote: >>>> >>>> I'm not Linux fanboy, but modern squid never >>>> runs as root. So, most probably it runs as >>>> nobody user. >>>> >>>> Ah, yes: >>>> >>>> # TAG: cache_effective_user >>>> # If you start Squid as root, it will change >>>> its effective/real >>>> # UID/GID to the user specified below. The >>>> default is to change >>>> # to UID of nobody. >>>> # see also; cache_effective_group >>>> #Default: >>>> # cache_effective_user nobody >>>> >>>> # TAG: cache_effective_group >>>> # Squid sets the GID to the effective user's >>>> default group ID >>>> # (taken from the password file) and >>>> supplementary group list >>>> # from the groups membership. >>>> # >>>> # If you want Squid to run with a specific >>>> GID regardless of >>>> # the group memberships of the effective >>>> user then set this >>>> # to the group (or GID) you want Squid to >>>> run as. When set >>>> # all other group privileges of the >>>> effective user are ignored >>>> # and only this GID is effective. If Squid >>>> is not started as >>>> # root the user starting Squid MUST be >>>> member of the specified >>>> # group. >>>> # >>>> # This option is not recommended by the >>>> Squid Team. >>>> # Our preference is for administrators to >>>> configure a secure >>>> # user account for squid with UID/GID >>>> matching system policies. >>>> #Default: >>>> # Use system group memberships of the >>>> cache_effective_user account >>>> >>>> As documented. :) >>>> >>>> AFAIK best solution is create non-privileged >>>> group & user (like squid/squid) and set both >>>> this parameters explicity. >>>> >>>> Then change owner recursively on SSL cache to >>>> this user. >>>> >>>> >>>> 12.09.2017 0:36, Rohit Sodhia пишет: >>>>> Neither of those values are set in my config. >>>>> Even though I'm not using squid for caching, I >>>>> need those values? They aren't set in the >>>>> default configs either. >>>>> >>>>> On Mon, Sep 11, 2017 at 2:33 PM, Yuri >>>>> <yvoi...@gmail.com <mailto:yvoi...@gmail.com>> >>>>> wrote: >>>>> >>>>> Most probably you squid runs as another >>>>> user than squid. >>>>> >>>>> Check your squid.conf for >>>>> cache_effective_user and >>>>> cache_effective_group values. >>>>> >>>>> Then change SSL cache permissions to this >>>>> values. Should work. >>>>> >>>>> >>>>> 12.09.2017 0:30, Rohit Sodhia пишет: >>>>>> Thanks for the feedback! I just used yum >>>>>> (it's a CentOS 7 VB) and it set it up >>>>>> like that. I changed the owner and group >>>>>> to squid:squid and tried restarting >>>>>> squid, but still get the same errors. I >>>>>> thought to run the command again, but >>>>>> this time it says >>>>>> >>>>>> /usr/lib64/squid/ssl_crtd: Cannot create >>>>>> /var/lib/ssl_db >>>>>> >>>>>> If this folder has incorrect permissions >>>>>> are there possibly other permission issues? >>>>>> >>>>>> On Mon, Sep 11, 2017 at 2:25 PM, Yuri >>>>>> <yvoi...@gmail.com >>>>>> <mailto:yvoi...@gmail.com>> wrote: >>>>>> >>>>>> Here you root of problem. >>>>>> >>>>>> Should be (on my setups): >>>>>> >>>>>> # ls -al /var/lib/ssl_db >>>>>> total 326 >>>>>> drwxr-xr-x 3 squid squid 5 Sep >>>>>> 5 00:53 . >>>>>> drwxr-xr-x 8 root other 8 Sep >>>>>> 5 00:53 .. >>>>>> drwxr-xr-x 2 squid squid 454 Sep >>>>>> 11 23:37 certs >>>>>> -rw-r--r-- 1 squid squid 280575 Sep >>>>>> 11 23:37 index.txt >>>>>> -rw-r--r-- 1 squid squid 7 Sep >>>>>> 11 23:37 size >>>>>> >>>>>> I.e. Squid has no access to SSL cache >>>>>> dir structures. >>>>>> >>>>>> >>>>>> 12.09.2017 0:23, Rohit Sodhia пишет: >>>>>>> total 8 >>>>>>> drwxr-xr-x. 3 root root 48 Sep 11 >>>>>>> 12:42 . >>>>>>> drwxr-xr-x. 32 root root 4096 Sep 11 >>>>>>> 12:42 .. >>>>>>> drwxr-xr-x. 2 root root 6 Sep 11 >>>>>>> 12:42 certs >>>>>>> -rw-r--r--. 1 root root 0 Sep 11 >>>>>>> 12:42 index.txt >>>>>>> -rw-r--r--. 1 root root 1 Sep 11 >>>>>>> 12:42 size >>>>>>> >>>>>>> >>>>>>> On Mon, Sep 11, 2017 at 2:22 PM, >>>>>>> Yuri <yvoi...@gmail.com >>>>>>> <mailto:yvoi...@gmail.com>> wrote: >>>>>>> >>>>>>> Show output of >>>>>>> >>>>>>> ls -al /var/lib/ssl_db >>>>>>> >>>>>>> >>>>>>> 12.09.2017 0:21, Rohit Sodhia пишет: >>>>>>>> Yes, but telling me it's >>>>>>>> crashing unfortunately doesn't >>>>>>>> help me figure out why or how >>>>>>>> to fix it. I've run the command >>>>>>>> it suggests but it doesn't >>>>>>>> help. I'm unfortunately not an >>>>>>>> ops guy familiar with this kind >>>>>>>> of stuff; I don't see anything >>>>>>>> on how to figure out what to do >>>>>>>> about it. >>>>>>>> >>>>>>>> On Mon, Sep 11, 2017 at 2:17 >>>>>>>> PM, Yuri <yvoi...@gmail.com >>>>>>>> <mailto:yvoi...@gmail.com>> wrote: >>>>>>>> >>>>>>>> It tells you what's happens. >>>>>>>> >>>>>>>> >>>>>>>> 11.09.2017 23:50, Rohit >>>>>>>> Sodhia пишет: >>>>>>>> > (ssl_crtd): Uninitialized >>>>>>>> SSL certificate database >>>>>>>> directory: >>>>>>>> > /var/lib/ssl_db. To >>>>>>>> initialize, run "ssl_crtd >>>>>>>> -c -s /var/lib/ssl_db". >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> squid-users mailing list >>>>>>>> squid-users@lists.squid-cache.org >>>>>>>> >>>>>>>> <mailto:squid-users@lists.squid-cache.org> >>>>>>>> >>>>>>>> http://lists.squid-cache.org/listinfo/squid-users >>>>>>>> >>>>>>>> <http://lists.squid-cache.org/listinfo/squid-users> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> >>>> >>>> >>> >>> >> >> > >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
