On 2016-01-29, Ted Wynnychenko wrote:
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
I have it like this, but it should be equivalent apart from the exemption
acl exemption dstdomain example.org
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump !exemption
ssl_bump splice all
> http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/myCA.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
same except path (mine is under /var/squid) and I am specifying the
IP address)
> sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/ssl_db -M 8MB
same except path (/var/squid/lib/ssl_db here) and 4MB
> sslcrtd_children 32 startup=5 idle=1
I didn't include this line but I believe it's the default anyway
I also explicitly set "sslproxy_cert_sign signTrusted", I think that's
the default but I may be wrong
> cache_dir ufs /var/squid/cache 5 64 512
aufs here, should be no difference
> -rw-r--r-- 1 _squid _squid 0B Jan 24 23:42 index.txt
> -rw-r--r-- 1 _squid _squid 1B Jan 24 23:42 size
>
> No, "serial" present, so it was added:
>
> # echo "101" > /var/squid/ssl_db/serial
> # chown _squid /var/squid/ssl_db/serial
I do not have "serial" :
$ ls -l /var/squid/lib/ssl_db/
total 16
drwxr-xr-x 2 _squid _squid 1024 Jan 29 23:56 certs/
-rw-r--r-- 1 _squid _squid 2193 Jan 29 23:56 index.txt
-rw-r--r-- 1 _squid _squid 5 Jan 29 23:56 size
> 2016/01/24 23:45:53| With 128 file descriptors available
That seems rather on the low side, I have this in /etc/login.conf
and starting with "rcctl start squid" to make sure that the class
is used.
squid:\
:openfiles-cur=2048:\
:openfiles-max=2048:\
:datasize=1500M:\
:tc=daemon:
/var/squid/logs/cache.log.6:2016/01/22 17:22:08 kid1| With 2048 file
descriptors available
$ nc -X connect -vvc -T noverify -T tlslegacy -x $proxy:3128 spacehopper.org
443
Connection to spacehopper.org 443 port [tcp/https] succeeded!
TLS handshake negotiated TLSv1.2/AES256-GCM-SHA384 with host spacehopper.org
Peer name: spacehopper.org
Subject: /CN=spacehopper.org
Issuer: /C=GB/CN=squidCA
Valid From: Fri Jan 22 22:53:00 2016
Valid Until: Thu Apr 21 23:53:00 2016
Cert Hash:
SHA256:c8d5b69f956e4d6aa6f3bbade565e76dead21e34026a32d5a5348550326819d5
(I needed -T tlslegacy for nc, most things just connect with defaults,
iirc I may have a short key somewhere - it's been a while since I set
it up..)