Hi, this is the certificate that I'm using at the moment: Certificate: > Data: > Version: 3 (0x2) > Serial Number: > a3:49:9a:ee:ac:75:66:da > Signature Algorithm: sha256WithRSAEncryption > Issuer: CN = nobody > Validity > Not Before: Apr 4 11:32:47 2019 GMT > Not After : Apr 3 11:32:47 2020 GMT > Subject: CN = nobody > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > 00:d8:fc:85:95:05:42:aa:3c:52:64:a2:02:a2:8d: > c9:86:48:c3:82:b5:1e:4f:8e:c3:7f:fb:6b:9b:2e: > 61:39:10:58:09:09:c9:88:e9:c0:d9:16:b4:e7:36: > 99:25:57:c6:f2:07:79:67:7b:50:20:a8:60:42:fa: > e1:57:80:9e:e3:08:80:a6:fb:67:b5:25:3f:96:b0: > 83:73:35:91:36:cb:d7:7c:06:d6:58:a9:78:36:10: > 73:24:af:53:31:c8:a1:0d:89:05:c1:36:55:22:2a: > 8b:33:06:5b:07:47:9e:ff:dd:34:a4:5e:ce:56:95: > 8c:4f:76:e5:28:f8:9a:49:3d:50:5b:4b:5f:2a:b4: > 9c:0d:f4:1e:09:4f:62:64:a2:ee:46:0f:1a:42:ae: > 63:92:8c:02:9c:c0:dc:25:d1:d1:b0:ee:a5:fc:66: > 20:20:1b:ac:f4:0e:30:ed:2e:27:b9:02:ca:cb:7b: > 32:92:4c:6a:c1:58:59:cd:9b:14:3a:c9:76:bd:e1: > 06:dc:0d:f6:53:23:45:28:4b:07:8c:3f:6d:e8:6a: > f2:01:c5:73:55:76:d2:cf:36:63:6f:6e:86:49:c5: > 20:05:95:db:fb:05:36:17:7d:a5:fb:3f:37:cb:47: > 3e:b4:a0:fd:35:e2:e7:31:c9:60:39:17:e9:7a:82: > 0b:75 > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Basic Constraints: critical > CA:TRUE > X509v3 Subject Key Identifier: > 85:A5:3F:F5:8C:88:EA:38:BF:46:42:72:8B:EE:A1:04:B8:FC:E2:D4 > X509v3 Key Usage: critical > Digital Signature, Non Repudiation, Key Encipherment, Key > Agreement, Certificate Sign, CRL Sign > X509v3 Extended Key Usage: > TLS Web Server Authentication > X509v3 Subject Alternative Name: > DNS:nobody
On Thu, 4 Apr 2019 at 12:57, Davide Belloni <davide.bell...@gmail.com> wrote: > Hi, thanks very much for all the advices! > About the action to generate the certificate I've followed the squid wiki, > that doesn't modify (if I remember correctly) openssl conf to create it . > > Do you have some link to a good howto about that? > > Thanjs > > Il gio 4 apr 2019, 12:35 Amos Jeffries <squ...@treenet.co.nz> ha scritto: > >> On 4/04/19 10:11 pm, Davide Belloni wrote: >> > Hi, >> > I've a problem in Ubuntu 18.04.2 with Squid 4.6 compiled with OpenSSL >> > 1.1 about ssl_bump. The same configuration works in Squid 3.5 and >> > OpenSSL 1.0 >> > >> > Here the relevant conf : >> > >> > ... >> > http_port 3128 ssl-bump options=ALL:NO_SSLv3 connection-auth=off >> > generate-host-certificates=off cert=/etc/squid/squidCA.pem >> > >> >> There are several differences which are relevant here. >> >> Firstly, the options= setting in v4 is buggy right now. >> >> Secondly, that "ALL" setting enables a large number of highly unsafe >> OpenSSL features. It is not a good idea to use that. >> >> Thirdly, v4 now checks the contents of that squidCA.pem file and only >> loads the actually needed cert/key/chain objects. v3 would load >> everything even if the cert properties were forbidden for use by a proxy >> or HTTP server. >> >> >> >> > # Not bypass server certificate validation errors >> > sslproxy_cert_error deny all >> > # This one return errors with debian on GCP >> > (https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery) >> > host_verify_strict off >> >> >> The above two directives are setting the defaults. It is only a waste of >> CPU cycles to configure that in any Squid version. No need to configure >> these at all. >> >> > >> > sslproxy_session_cache_size 0 >> > >> > acl step1 at_step SslBump1 >> > acl step2 at_step SslBump2 >> > acl step3 at_step SslBump3 >> > >> > ssl_bump peek step1 all >> > ssl_bump peek step2 all >> > >> > # API Google >> > acl api_google_urls url_regex >> > ^(https?:\/\/)?.*\.googleapis\.com(:443)?($|\/) >> > acl api_google_urls url_regex >> > ^(https?:\/\/)?.*\.google\.com(:443)?($|\/) >> > acl api_google_urls url_regex >> > ^(https?:\/\/)?.*\.cloud\.google\.com(:443)?($|\/) >> > acl api_google_urls url_regex >> > ^(https:\/\/)?([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3}) >> >> These regex are overly complex. These two patterns cover the same set of >> URLs: >> >> acl api_google_urls url_regex \ >> \.google(apis)?\.com(:443)?($|\/) >> ^(https:\/\/)?([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3}) >> >> >> >> > acl api_google_ssl ssl::server_name_regex .*\.googleapis\.com >> > acl api_google_ssl ssl::server_name_regex .*\.google\.com >> > acl api_google_ssl ssl::server_name_regex .*\.cloud\.google\.com >> >> Same with these ones: >> >> acl api_google_ssl ssl::server_name_regex \.google(apis)?\.com >> >> >> > acl api_google_ips src 127.0.0.1/32 >> > >> > http_access allow api_google_ips api_google_urls >> > ssl_bump splice step3 api_google_ips api_google_ssl >> > >> > http_access deny all >> > ssl_bump terminate step3 all >> > ... >> > >> > >> ... >> >> >> > >> > I'm upgrading to Squid4 with OpenSSL 1.1 because with Squid3 Ive some >> > connections that get stuck (for example >> > https://packages.cloud.google.com/apt/doc/apt-key.gpg) I think for >> > unsupported ciphers. >> > >> > But with Squid4 and OpenSSL1.1 I've this lines in cache log: >> > >> > 2019/04/04 08:49:15 kid1| ERROR: client https start failed to >> > allocate handle: error:140AB043:SSL >> > routines:SSL_CTX_use_certificate:passed a null parameter >> > >> >> Check the SquidCA.pem file actually contains a valid X.509 server CA >> certificate and matching key. >> >> >> > 2019/04/04 08:49:15 kid1| ERROR: could not create TLS server context >> > for local=127.0.0.1:3128 <http://127.0.0.1:3128> >> > remote=127.0.0.1:39203 <http://127.0.0.1:39203> FD 19 flags=1 >> > >> >> This must be fixed before any more advanced tests are worth performing. >> Their results will be invalid until Squid has an operational TLS context. >> >> >> Amos >> _______________________________________________ >> squid-users mailing list >> squid-users@lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-users >> > -- Davide Belloni http://about.me/davidebelloni http://www.linkedin.com/in/davidebelloni
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
