Re: [squid-users] Re: missing hostname in DynamicSslCert branch code ?

From: Luis Daniel Lucio Quiroz <luis.daniel.lucio_at_gmail.com>
Date: Sat, 27 Feb 2010 00:38:17 -0600

Le Jeudi 8 Janvier 2009 22:47:50, Alex Rousskov a �crit :
> On Wed, 2009-01-07 at 10:30 -0800, David Molnar wrote:
> > I am trying to run
> > the DynamicSslCert branch squid and running into a problem. It looks
> > like squid is somehow losing track of the hostname in the code that
> > attempts to generate the SSL certificate on the fly.
>
> Thank you for trying the new code and providing detailed debugging info.
>
> Before we dive into dynamic certificate generation bugs, let's verify
> that your setup works without dynamic certificate generation. Have you
> tried running stock Squid 3.1 with SslBump enabled? Does it work? You
> should be able to surf fine, but should get many certificate mismatch
> warnings/errors.
>
> I believe the SslBump wiki page has the basic config sample. Please
> confirm that stock SslBump works and we will go from there.
>
> Thank you,
>
> Alex.
>
> > I understand that this is experimental code and not guaranteed to work,
> > but if anyone happens to have an idea, or sees something I've
> > overlooked, I'd be grateful. Details follow.
> >
> > I started by setting up an http_port in my squid_conf like so:
> >
> > http_port 3128 sslBump generate-host-certificates=on
> > ca-config=/usr/local/ssl/openssl.cnf
> >
> > My full squid.conf is at
> > http://www.cs.berkeley.edu/~dmolnar/dyn-issue-squid.conf
> >
> > I then set up firefox to use 127.0.0.1:3128 as my proxy for http and
> > https. I see http requests handled properly at this point. When I go to
> > "https://www.bankofamerica.com" in firefox, however, I see nothing.
> >
> > I checked my cache.log. This is an excerpt from my cache.log:
> > 2009/01/05 22:32:21.661| httpRequestFree: www.bankofamerica.com:443
> > 2009/01/05 22:32:21.661| client_side.cc(3133) switchToHttps: converting
> > FD 9 to SSL
> > 2009/01/05 22:32:21.661| client_side.cc(3106) getSslContext: Generating
> > SSL certificate for
> >
> > At this point it looks like "host" is set equal to "".
> > Immediately after I see this:
> >
> > 2009/01/05 22:32:21.661| ssl_support.cc(1207)
> > generateCaSignedSslCertificate: Generating CA-signed certificate for
> > 2009/01/05 22:32:21.661| ssl_support.cc(1180) runSystemCommand: Running:
> > openssl req -new -newkey rsa:1024 -nodes -days 500 -subj /C=EN/CN= -out
> > server.csr -keyout server.key 2>/dev/null
> > 2009/01/05 22:32:21.661| ssl_support.cc(1182) runSystemCommand: Command
> > (openssl req -new -newkey rsa:1024 -nodes -days 500 -subj /C=EN/CN= -out
> > server.csr -keyout server.key 2>/dev/null) failed
> > 2009/01/05 22:32:21.708| ssl_support.cc(1193)
> > generateSelfSignedSslCertificate: Generating self-signed certificate for
> > 2009/01/05 22:32:21.708| ssl_support.cc(1180) runSystemCommand: Running:
> > openssl req -new -newkey rsa:1024 -nodes -x509 -days 500 -subj /C=EN/CN=
> > -out server.crt -keyout server.key 2>/dev/null
> > 2009/01/05 22:32:21.708| ssl_support.cc(1182) runSystemCommand: Command
> > (openssl req -new -newkey rsa:1024 -nodes -x509 -days 500 -subj
> > /C=EN/CN= -out server.crt -keyout server.key 2>/dev/null) failed
> > 2009/01/05 22:32:21.787| client_side.cc(3111) getSslContext: Failed to
> > generate SSL cert for
> > 2009/01/05 22:32:21.787| Closing SSL FD 9 as lacking SSL context
> >
> > Full log (warning: kind of long) at
> > http://www.cs.berkeley.edu/~dmolnar/dyn-issue-cache.log
> >
> > I tried the openssl commands on the command line, and the failure comes
> > because openssl complains about a CN of "". That then causes a non-zero
> > return code, in turn causing getSslContext to report failure.
> >
> > Does anyone have a suggestion for what to try next? I also tried setting
> > up an https_port with the same options as above, i.e.
> >
> > http_port 3129 sslBump generate-host-certificates=on
> > ca-config=/usr/local/ssl/openssl.cnf
> >
> > Unfortunately this led to an error "failure to acquire certificate" on
> > startup, and a note in the cache.log that port 3129 was disabled due to
> > certificate error. Do I need to also add additional options of some kind?
> >
> > Thanks again for any help,
> > -David Molnar

I wonder to know if there is a tar.gz of that branch, i did try using from
this page: https://code.launchpad.net/~rousskov/squid/DynamicSslCert
by doing a

bzr branch http://bazaar.launchpad.net/~rousskov/squid/DynamicSslCert

then I run bootstrap.sh and configure script was created,
but if a di a grep -r enable-ssl-crtd * to search about that option but I
couldnt find anything,

is there something i was missing or I have just tu compile to have
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB available

TIA

LD
Received on Sun Feb 28 2010 - 01:33:26 MST

This archive was generated by hypermail 2.2.0 : Sun Feb 28 2010 - 12:00:06 MST