Have squid in transparent, want to ssl bump all the connections which are not whitelisted, but when given *generate-host-certificates=on , *squid keeps crashing when trying to bring it up after service restart.
*/var/log/messages* Jan 30 07:05:52 ban-squid-proxy22 squid[23323]: Squid Parent: (squid-1) process 23441 started Jan 30 07:05:52 ban-squid-proxy22 (squid-1): The ssl_crtd helpers are crashing too rapidly, need help! Jan 30 07:05:52 ban-squid-proxy22 squid[23323]: Squid Parent: (squid-1) process 23441 exited with status 1 Jan 30 07:05:52 ban-squid-proxy22 squid[23397]: Squid Parent: (squid-1) process 23449 started Jan 30 07:05:52 ban-squid-proxy22 (squid-1): The ssl_crtd helpers are crashing too rapidly, need help! Jan 30 07:05:52 ban-squid-proxy22 squid[23397]: Squid Parent: (squid-1) process 23449 exited with status 1 *squid.conf details:* visible_hostname squid cache deny all #Handling HTTP requests http_port 3128 intercept acl allowed_http_sites dstdomain .amazonaws.com .bbc.com acl blacklist url_regex -i /.(.*?) #acl allowed_http_sites dstdomain [you can add other domains to permit] http_access allow allowed_http_sites http_access deny blacklist #Handling HTTPS requests #https_port 3130 cert=/etc/pki/tls/certs/squidCA.pem ssl-bump intercept #/root/openssl/squid.crt squid.csr /root/openssl/squid.key *https_port 3130 cert=/root/openssl/squid.crt key=/root/openssl/squid.key ssl-bump intercept generate-host-certificates=on version=1 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE* sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB acl SSL_port port 443 http_access allow SSL_port acl allowed_https_sites ssl::server_name .amazonaws.com .cnn.com .yahoo.com .bbc.com acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 ssl_bump peek step1 all #ssl_bump peek all ssl_bump splice step2 allowed_https_sites ssl_bump splice step3 allowed_https_sites ssl_bump bump step2 all http_access deny all coredump_dir /var/cache/squid *Command to generate SSL certificate:* sudo openssl genrsa -out squid.key 2048 sudo openssl req -new -key squid.key -out squid.csr -subj "/C=XX/ST=XX/L=squid/O=squid/CN=squid" sudo openssl x509 -req -days 3650 -in squid.csr -signkey squid.key -out squid.crt *Squid and OS version:* squid -v Squid Cache: Version 3.5.28 Service Name: squid This binary uses OpenSSL 1.0.1e-fips 11 Feb 2013. For legal restrictions on distribution see https://www.openssl.org/source/license.html configure options: '--prefix=/usr' '--includedir=/usr/include' '--datadir=/usr/share' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--sysconfdir=/etc/squid' '--with-logdir=/var/log/squid' '--with-openssl' '--enable-ssl-crtd' --enable-ltdl-convenience [c5278791@ban-squid-proxy22 ~]$ cat /etc/redhat-release CentOS release 6.10 (Final) [c5278791@ban-squid-proxy22 ~]$ Please let me know. Thanks! -Bandeep
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
