RE: [squid-users] store.cc crashing the squid child
Ahh.. on my backup proxy in which I allow that subnet I was again on attack but this time on the squid version is 3.4.5. Squid Cache: Version 3.4.5 configure options: '--build=x86_64-unknown-linux-gnu' '--host=x86_64-unknown-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,AD_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi' '--enable-ssl' '--enable-ssl-crtd' '--enable-icmp' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=65535' '--with-dl' '--with-openssl' '--with-pthreads' '--with-included-ltdl' 'build_alias=x86_64-unknown-linux-gnu' 'host_alias=x86_64-unknown-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC' 'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig' --enable-ltdl-convenience The syslog is saying below May 27 06:36:22 proxy1 squid[3503]: Squid Parent: (squid-1) process 16614 exited due to signal 6 with status 0 May 27 06:36:25 proxy1 squid[3503]: Squid Parent: (squid-1) process 16672 started May 27 06:39:22 proxy1 squid[3503]: Squid Parent: (squid-1) process 16672 exited due to signal 6 with status 0 May 27 06:39:25 proxy1 squid[3503]: Squid Parent: (squid-1) process 16729 started May 27 06:42:23 proxy1 squid[3503]: Squid Parent: (squid-1) process 16729 exited due to signal 6 with status 0 May 27 06:42:26 proxy1 squid[3503]: Squid Parent: (squid-1) process 16790 started May 27 06:45:23 proxy1 squid[3503]: Squid Parent: (squid-1) process 16790 exited due to signal 6 with status 0 May 27 06:45:26 proxy1 squid[3503]: Squid Parent: (squid-1) process 16847 started May 27 06:48:24 proxy1 squid[3503]: Squid Parent: (squid-1) process 16847 exited due to signal 6 with status 0 May 27 06:48:27 proxy1 squid[3503]: Squid Parent: (squid-1) process 16903 started May 27 06:51:25 proxy1 squid[3503]: Squid Parent: (squid-1) process 16903 exited due to signal 6 with status 0 May 27 06:51:28 proxy1 squid[3503]: Squid Parent: (squid-1) process 16963 started May 27 06:54:25 proxy1 squid[3503]: Squid Parent: (squid-1) process 16963 exited due to signal 6 with status 0 May 27 06:54:28 proxy1 squid[3503]: Squid Parent: (squid-1) process 17019 started The Cache log is saying this and restarting the child every time. 2014/05/27 06:36:21 kid1| assertion failed: store.cc:915: store_status == STORE_PENDING 2014/05/27 06:39:21 kid1| assertion failed: store.cc:915: store_status == STORE_PENDING 2014/05/27 06:42:22 kid1| assertion failed: store.cc:915: store_status == STORE_PENDING 2014/05/27 06:45:23 kid1| assertion failed: store.cc:915: store_status == STORE_PENDING 2014/05/27 06:48:23 kid1| assertion failed: store.cc:915: store_status == STORE_PENDING 2014/05/27 06:51:24 kid1| assertion failed: store.cc:915: store_status == STORE_PENDING 2014/05/27 06:54:24 kid1| assertion failed: store.cc:915: store_status == STORE_PENDING Again from access log not been able to point out who could be the culprit of that and further what query made him possible for exploiting this vulnerability of the latest version of squid 3.4.5. Any inside expert opinion to filter such exploiting request. BR Farooq -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Tuesday, May 27, 2014 10:55 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] store.cc crashing the squid child On 27/05/2014 4:32 p.m., Farooq Bhatti wrote: Hi There, Pardon me for long email. Actually I faced a DOS attack in a university setup and want to get help to avoid it in future. I am using squid following version squid -v Squid Cache: Version 3.4.3 Could be this: http://www.squid-cache.org/Advisories/SQUID-2014_1.txt Please
Re: [squid-users] ipv6 ssl bump intercept issue.::solved::
On May 26, 2014, at 2:34 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 26/05/2014 1:42 p.m., jeffrey j donovan wrote: Greetings, squid 3.3.8 intercept ssl bump connecting to Facebook is returning an ipv6 address . chrome refuses , safari ssl bump happens the cert can be saved. the page is text only, and ugly. logs are showing only IPv6 activity. How can I force ipv4 in this case ? Your logs shows IPv6 is working fine. Nothing to do there. 18 10.1.1.130 TCP_MISS/301 337 GET https://facebook.com/ - PINNED/2a03:2880:2110:df07:face:b00c:0:1 text/html 1401067623.504190 10.1.1.130 TCP_MISS/200 13708 GET https://www.facebook.com/ - PINNED/2a03:2880:f000:601:face:b00c:0:1 text/html 1401067644.751109 10.1.1.130 TCP_MISS/200 13415 GET https://www.facebook.com/ - PINNED/2a03:2880:f000:601:face:b00c:0:1 text/html 1401067649.585 79 10.1.1.130 TCP_MISS/200 13426 GET https://www.facebook.com/ - PINNED/2a03:2880:f000:601:face:b00c:0:1 text/html 1401067668.503 33 10.1.1.133 TCP_MISS/200 338 GET http://ping.chartbeat.net/ping? - HIER_DIRECT/54.225.169.62 image/gif 1401067699.486 96 10.1.1.130 TCP_MISS/301 337 GET https://facebook.com/ - PINNED/2a03:2880:2110:df07:face:b00c:0:1 text/html * The log trace does not show any CSS or JS content is even attempted being fetched by the client. This matches the visible display problem you describe. * If the failures were from Squid you would see 400/500 status error codes. Probably with hierarchy information saying NONE/-. * there are at least 4 protocols involved here. IPv6 is only one, and appears to be fine. * the sites you are mentioning are all known to be pushing for SPDY and/or QUIC protocol to be adopted over TLS (port 443). * the browsers you are having worst problems with are ones known to be implementing the HSTS protocol extensions to TLS/SSL. The so called certificate pinning or ertificate whitelisting. Where the browser locates the CA certificate via methods such that a forged cert (ie ssl-bump) cannot be used. * Squid 3.3 ssl-bumping uses the client-first method which is a very nasty way to do it and does not work if the website has a small amount of SSL security extensions actually being used. * If IPv6 has anything at all to do with this it would take the form of the client attempting IPv6 port 80 /443 connections and not being intercepted at all. I think it is very likey that the client browser is attempting to use SPDY protocol over port 443 to fetch the supporting page pieces and using HSTS to break the connectivity to Squid. Half connections like that are not yet logged. The last point about client using IPv6 and not being intercepted is second most likely. i just checked twitter, and it doesn't even connect. all ipv6. 068202.932 4 10.1.1.130 TCP_MEM_HIT/200 107371 GEThttps://www.google.com/xjs/_/js/k=xjs.s.en_US.u4s5c7_Kv3Q.O/m=sy69,abd,sy64,sy90,sy110,sy63,sy50,sy85,sy87,sy91,sy111,sy65,sy51,sy53,sy55,sy115,sy112,sy77,sy140,sy66,sy125,sy52,sy56,sy83,sy116,sy114,sy113,sy141,sy142,sy119,sy122,sy54,sy88,sy117,sy139,sy143,sy144,sy145,sy146,actn,sy147,adp,aspn,sy46,sy45,async,sy21,cdos,crd,erh,foot,sy81,gf,sy133,hv,idck,sy82,sy101,imap,sy23,jsaleg,lc,sy70,sy71,sy243,lu,sy246,m,me,sf,tbui,sy47,sy61,sy48,em4,em5,em6,sy49,tnv,vm,sy102,vs,sy176,wta,sy67,sy68,sy193,sy192,sy214,ilrp,iur,sy93,sy134,kpfc,sy204,sy237,kptm,rmr/am=Gfw_FQY9ogCEwAo/rt=j/d=0/sv=1/t=zcms/rs=AItRSTPVXuEeQnAb7f5bz9d2nWCC_p2Fcw - HIER_NONE/- text/javascript 1401068203.011 23 10.135.1.130 TCP_MISS/204 340 GET https://www.google.com/client_204? - PINNED/2607:f8b0:4004:808::1012 text/html 1401068203.019 21 10.135.1.130 TCP_MISS/204 340 GET https://www.google.com/gen_204? - PINNED/2607:f8b0:4004:808::1012 text/html 1401068244.254 23 10.135.1.130 TCP_MISS/200 724 GET https://www.google.com/url? - PINNED/2607:f8b0:4004:808::1012 text/html There is no information about twitter in that log. It might as well say jims-amateur-porn.com for all the relevance the trace has to Twitter. FYI: Twitter is another big player pushing SPDY aggressively. So it also fits in with *all* of the above points. I suggest you: 1) upgrade your Squid to the latest release. Today that is 3.4.5 2) change your configuration to server-first bumping (will require cert DB erase and rebuild). 3) check the IPv6 NAT intercept you have setup. It may need configuring separately to the IPv4 intercept (depending on your kernel). Amos Thanks for the reply Amos, it turned out to be a bad certificate in the client #2 on your suggestions helped find that. I reconfigured with the new certificate and things started working. I jumped to conclusions thinking it was ipv6-- my mistake. upgrade coming soon. -j
[squid-users] Why not cached ?
I was wondering about very few HITs in this squid installation, and did some checking: access.log: 1401203150.334 1604 10.1.10.121 TCP_MISS/200 718707 GET http://l5.yimg.com/av/moneyball/ads/0-1399331780-5313.jpg - ORIGINAL_DST/66.196.65.174 image/jpeg 1401203186.100 1327 10.1.10.121 TCP_MISS/200 718707 GET http://l5.yimg.com/av/moneyball/ads/0-1399331780-5313.jpg - ORIGINAL_DST/66.196.65.174 image/jpeg cache.log: 2014/05/27 14:52:12 kid1| Starting Squid Cache version 3.4.5-20140514-r13135 for i686-pc-linux-gnu... 2014/05/27 14:52:12 kid1| Process ID 7477 2014/05/27 14:52:12 kid1| Process Roles: worker 2014/05/27 14:52:12 kid1| With 1024 file descriptors available 2014/05/27 14:52:12 kid1| Initializing IP Cache... 2014/05/27 14:52:12 kid1| DNS Socket created at [::], FD 7 2014/05/27 14:52:12 kid1| DNS Socket created at 0.0.0.0, FD 8 2014/05/27 14:52:12 kid1| Adding nameserver 127.0.0.1 from /etc/resolv.conf 2014/05/27 14:52:12 kid1| Logfile: opening log daemon:/tmp/var/log/squid/access.log 2014/05/27 14:52:12 kid1| Logfile Daemon: opening log /tmp/var/log/squid/access.log 2014/05/27 14:52:12 kid1| Logfile: opening log daemon:/tmp/var/log/squid/store.log 2014/05/27 14:52:12 kid1| Logfile Daemon: opening log /tmp/var/log/squid/store.log 2014/05/27 14:52:12 kid1| Swap maxSize 0 + 2097152 KB, estimated 161319 objects 2014/05/27 14:52:12 kid1| Target number of buckets: 8065 2014/05/27 14:52:12 kid1| Using 8192 Store buckets 2014/05/27 14:52:12 kid1| Max Mem size: 2097152 KB 2014/05/27 14:52:12 kid1| Max Swap size: 0 KB 2014/05/27 14:52:12 kid1| Using Least Load store dir selection 2014/05/27 14:52:12 kid1| Set Current Directory to /tmp 2014/05/27 14:52:12 kid1| Finished loading MIME types and icons. 2014/05/27 14:52:12 kid1| HTCP Disabled. 2014/05/27 14:52:12 kid1| Squid plugin modules loaded: 0 2014/05/27 14:52:12 kid1| Accepting HTTP Socket connections at local=10.1.10.1:3129 remote=[::] FD 13 flags=9 2014/05/27 14:52:12 kid1| Accepting NAT intercepted HTTP Socket connections at local=10.1.10.1:3128 remote=[::] FD 14 flags=41 2014/05/27 14:52:13 kid1| storeLateRelease: released 0 objects squid.conf: root@voyage:/usr/local/squid/etc# vi squid.conf acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl SSL_ports port 443 acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access deny all http_port 10.1.10.1:3129 http_port 10.1.10.1:3128 intercept cache_mem 2048 MB memory_cache_mode always access_log daemon:/tmp/var/log/squid/access.log squid cache_store_log daemon:/tmp/var/log/squid/store.log squid logfile_rotate 3 pid_filename /var/run/squid.pid cache_log /tmp/var/log/squid/cache.log coredump_dir /tmp refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 shutdown_lifetime 10 seconds This quid is running on a scaled down debian, no HDD, with mobile internet connection. So /tmp in fact is a RAM-disk, and a good hit rate very welcome. The example above should be cachable, or not ? squid was accessed on port 3128, intercept. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Why-not-cached-tp4666117.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Install Godaddy certificate on squid to use ssl-bumping functionnality
Hi there, My boss give me a certificate purchased from Godaddy to intercept HTTPS request. squid.conf : http_port 3127 transparent http_port 3128 https_port 3129 transparent ssl-bump cert=/etc/ssl/myGodaddyCertif.crt sslproxy_capath /etc/ssl/certs When i restart squid i have an error : ERROR: Failed to acquire SSL private key '/etc/ssl/myGodaddyCertif.crt': error:0906D06C:PEM routines:PEM_read_bio:no start line I haven't a private key, so is this normal ? Thanks ! -- Antoine KLEIN
[squid-users] Install Godaddy certificate on squid to use ssl-bumping functionnality
Hi there, My boss give me a certificate purchased from Godaddy to intercept HTTPS request. squid.conf : http_port 3127 transparent http_port 3128 https_port 3129 transparent ssl-bump cert=/etc/ssl/myGodaddyCertif.crt sslproxy_capath /etc/ssl/certs When i restart squid i have an error : ERROR: Failed to acquire SSL private key '/etc/ssl/myGodaddyCertif.crt': error:0906D06C:PEM routines:PEM_read_bio:no start line I haven't a private key, so is this normal ? Thanks ! -- Antoine KLEIN
Re: [squid-users] Install Godaddy certificate on squid to use ssl-bumping functionnality
Hi, You can't possibly do this. To ssl-bump you need access to a private key to sign the certs you offer to clients. Not in a million years is a Commercial CA going to give you their private key. Such a key can sign any certificate which would then be trusted by any software that includes GoDaddy's CA (ie IE, Firefox, Chrome etc). You need to use OpenSSL to set up your own CA and use its private key in Squid as the key to generate new certificates. And preferably install your new CA cert into your users' certificate stores as a Trusted CA. The private key is basically the thing that any CA has to keep the most private for SSL to work. Providers like GoDaddy would probably have the machine that holds the private keys for at least their Root CA on a private network (if even it's networked at all) and use subordinate CAs to issue certificates to their clients (ie you). Unless you are a very large trusted organisation and jump through many hoops you will get a subordinate signing key from a reputable commercial CA. Otherwise, the internet and SSL would already be more borken than it is right now ;-) Alex On 27/05/14 19:13, Antoine Klein wrote: Hi there, My boss give me a certificate purchased from Godaddy to intercept HTTPS request. squid.conf : http_port 3127 transparent http_port 3128 https_port 3129 transparent ssl-bump cert=/etc/ssl/myGodaddyCertif.crt sslproxy_capath /etc/ssl/certs When i restart squid i have an error : ERROR: Failed to acquire SSL private key '/etc/ssl/myGodaddyCertif.crt': error:0906D06C:PEM routines:PEM_read_bio:no start line I haven't a private key, so is this normal ? Thanks !
Re: [squid-users] Install Godaddy certificate on squid to use ssl-bumping functionnality
Hi, Mistake in my post: should be: and jump through many hoops you will *NOT* get a subordinate signing key from a reputable commercial CA. Otherwise, the internet and SSL would already be more borken than it is right now ;-) Alex On 27/05/14 19:13, Antoine Klein wrote: Hi there, My boss give me a certificate purchased from Godaddy to intercept HTTPS request. squid.conf : http_port 3127 transparent http_port 3128 https_port 3129 transparent ssl-bump cert=/etc/ssl/myGodaddyCertif.crt sslproxy_capath /etc/ssl/certs When i restart squid i have an error : ERROR: Failed to acquire SSL private key '/etc/ssl/myGodaddyCertif.crt': error:0906D06C:PEM routines:PEM_read_bio:no start line I haven't a private key, so is this normal ? Thanks !
Re: [squid-users] Why not cached ?
Hi babajaga, You can add 'debug_options 20,9 27,9 31,9 70,9 82,9 22,9 84,9 90,9' to your squid config to debug caching issues. Search through log for string that contains 'NO' (in uppercase). This string should explain why squid made decision not to cache http response. Best wishes, Pavel On 05/27/2014 06:17 PM, babajaga wrote: I was wondering about very few HITs in this squid installation, and did some checking: access.log: 1401203150.334 1604 10.1.10.121 TCP_MISS/200 718707 GET http://l5.yimg.com/av/moneyball/ads/0-1399331780-5313.jpg - ORIGINAL_DST/66.196.65.174 image/jpeg 1401203186.100 1327 10.1.10.121 TCP_MISS/200 718707 GET http://l5.yimg.com/av/moneyball/ads/0-1399331780-5313.jpg - ORIGINAL_DST/66.196.65.174 image/jpeg cache.log: 2014/05/27 14:52:12 kid1| Starting Squid Cache version 3.4.5-20140514-r13135 for i686-pc-linux-gnu... 2014/05/27 14:52:12 kid1| Process ID 7477 2014/05/27 14:52:12 kid1| Process Roles: worker 2014/05/27 14:52:12 kid1| With 1024 file descriptors available 2014/05/27 14:52:12 kid1| Initializing IP Cache... 2014/05/27 14:52:12 kid1| DNS Socket created at [::], FD 7 2014/05/27 14:52:12 kid1| DNS Socket created at 0.0.0.0, FD 8 2014/05/27 14:52:12 kid1| Adding nameserver 127.0.0.1 from /etc/resolv.conf 2014/05/27 14:52:12 kid1| Logfile: opening log daemon:/tmp/var/log/squid/access.log 2014/05/27 14:52:12 kid1| Logfile Daemon: opening log /tmp/var/log/squid/access.log 2014/05/27 14:52:12 kid1| Logfile: opening log daemon:/tmp/var/log/squid/store.log 2014/05/27 14:52:12 kid1| Logfile Daemon: opening log /tmp/var/log/squid/store.log 2014/05/27 14:52:12 kid1| Swap maxSize 0 + 2097152 KB, estimated 161319 objects 2014/05/27 14:52:12 kid1| Target number of buckets: 8065 2014/05/27 14:52:12 kid1| Using 8192 Store buckets 2014/05/27 14:52:12 kid1| Max Mem size: 2097152 KB 2014/05/27 14:52:12 kid1| Max Swap size: 0 KB 2014/05/27 14:52:12 kid1| Using Least Load store dir selection 2014/05/27 14:52:12 kid1| Set Current Directory to /tmp 2014/05/27 14:52:12 kid1| Finished loading MIME types and icons. 2014/05/27 14:52:12 kid1| HTCP Disabled. 2014/05/27 14:52:12 kid1| Squid plugin modules loaded: 0 2014/05/27 14:52:12 kid1| Accepting HTTP Socket connections at local=10.1.10.1:3129 remote=[::] FD 13 flags=9 2014/05/27 14:52:12 kid1| Accepting NAT intercepted HTTP Socket connections at local=10.1.10.1:3128 remote=[::] FD 14 flags=41 2014/05/27 14:52:13 kid1| storeLateRelease: released 0 objects squid.conf: root@voyage:/usr/local/squid/etc# vi squid.conf acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl SSL_ports port 443 acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access deny all http_port 10.1.10.1:3129 http_port 10.1.10.1:3128 intercept cache_mem 2048 MB memory_cache_mode always access_log daemon:/tmp/var/log/squid/access.log squid cache_store_log daemon:/tmp/var/log/squid/store.log squid logfile_rotate 3 pid_filename /var/run/squid.pid cache_log /tmp/var/log/squid/cache.log coredump_dir /tmp refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 shutdown_lifetime 10 seconds This quid is running on a scaled down debian, no HDD, with mobile internet connection. So /tmp in fact is a RAM-disk, and a good hit rate very welcome. The example above should be cachable, or not ? squid was accessed on port 3128, intercept. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Why-not-cached-tp4666117.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: Why not cached ?
Thanx, you are the man ! Problem was here in squid.conf: maximum_object_size_in_memory Default is 500 kB, which is too small. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Why-not-cached-tp4666117p4666123.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Install Godaddy certificate on squid to use ssl-bumping functionnality
On 05/27/2014 09:13 PM, Antoine Klein wrote: My boss give me a certificate purchased from Godaddy to intercept HTTPS request. Do you need it for a reverse proxy by any chance or bumping legit ssl connections? I am not sure you know that but I asked anyway. Eliezer
Re: [squid-users] Install Godaddy certificate on squid to use ssl-bumping functionnality
I want to bump ssl connections, but without produce a warning of course. I read it is possible to generate a request of certification with a key and send this file to an authority to sign it, do you know that ? 2014-05-27 16:08 GMT-04:00 Eliezer Croitoru elie...@ngtech.co.il: On 05/27/2014 09:13 PM, Antoine Klein wrote: My boss give me a certificate purchased from Godaddy to intercept HTTPS request. Do you need it for a reverse proxy by any chance or bumping legit ssl connections? I am not sure you know that but I asked anyway. Eliezer -- Antoine KLEIN
Re: [squid-users] Install Godaddy certificate on squid to use ssl-bumping functionnality
On 05/27/2014 11:19 PM, Antoine Klein wrote: I want to bump ssl connections, but without produce a warning of course. I read it is possible to generate a request of certification with a key and send this file to an authority to sign it, do you know that ? If indeed you where an authority I would assume you wont be having ANY trouble do what you need and\or want to do without even asking here. It's very unlikely you own a root CA and ask here about the an issue which should not be asked about at all. Squid SSL-BUMP is ssl certificate mimicing which can cause lots of errors if the client application has a very list of specific issue\ideas about the certificate properties. it's risky and should be used by the knowledge which you are probably to encounter this errors here and there if not more then that. Regards, Eliezer
Re: [squid-users] Install Godaddy certificate on squid to use ssl-bumping functionnality
On 28/05/2014 8:19 a.m., Antoine Klein wrote: I want to bump ssl connections, but without produce a warning of course. I read it is possible to generate a request of certification with a key and send this file to an authority to sign it, do you know that ? Having your cert signed by a widely trusted certificate authority is one thing, and the basis of how TLS/SSL works. SSL-bump cannot be used with that type of key for the reasons Alex already mentioned. He also mentioned the steps you have to take instead to get it going. Amos