Re: Trying to get squid with ssl bump working

2016-01-29 Thread Stuart Henderson 
On 2016-01-29, Ted Wynnychenko  wrote:
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all

I have it like this, but it should be equivalent apart from the exemption

acl exemption dstdomain example.org
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump !exemption
ssl_bump splice all

> http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/myCA.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

same except path (mine is under /var/squid) and I am specifying the
IP address)

> sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/ssl_db -M 8MB

same except path (/var/squid/lib/ssl_db here) and 4MB

> sslcrtd_children 32 startup=5 idle=1

I didn't include this line but I believe it's the default anyway

I also explicitly set "sslproxy_cert_sign signTrusted", I think that's
the default but I may be wrong

> cache_dir ufs /var/squid/cache 5 64 512

aufs here, should be no difference

> -rw-r--r--  1 _squid  _squid 0B Jan 24 23:42 index.txt
> -rw-r--r--  1 _squid  _squid 1B Jan 24 23:42 size
>
> No, "serial" present, so it was added:
>
> # echo "101" > /var/squid/ssl_db/serial
> # chown _squid /var/squid/ssl_db/serial

I do not have "serial" :

$ ls -l /var/squid/lib/ssl_db/
total 16
drwxr-xr-x  2 _squid  _squid  1024 Jan 29 23:56 certs/
-rw-r--r--  1 _squid  _squid  2193 Jan 29 23:56 index.txt
-rw-r--r--  1 _squid  _squid 5 Jan 29 23:56 size

> 2016/01/24 23:45:53| With 128 file descriptors available

That seems rather on the low side, I have this in /etc/login.conf
and starting with "rcctl start squid" to make sure that the class
is used.

squid:\
:openfiles-cur=2048:\
:openfiles-max=2048:\
:datasize=1500M:\
:tc=daemon:

/var/squid/logs/cache.log.6:2016/01/22 17:22:08 kid1| With 2048 file 
descriptors available

$ nc -X connect -vvc -T noverify -T tlslegacy -x $proxy:3128 spacehopper.org 
443 
Connection to spacehopper.org 443 port [tcp/https] succeeded!
TLS handshake negotiated TLSv1.2/AES256-GCM-SHA384 with host spacehopper.org
Peer name: spacehopper.org
Subject: /CN=spacehopper.org
Issuer: /C=GB/CN=squidCA
Valid From: Fri Jan 22 22:53:00 2016
Valid Until: Thu Apr 21 23:53:00 2016
Cert Hash: 
SHA256:c8d5b69f956e4d6aa6f3bbade565e76dead21e34026a32d5a5348550326819d5

(I needed -T tlslegacy for nc, most things just connect with defaults,
iirc I may have a short key somewhere - it's been a while since I set
it up..)

Re: Trying to get squid with ssl bump working

2016-01-29 Thread Theodore Wynnychenko 
-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Stuart
Henderson
Sent: Friday, January 29, 2016 6:31 PM
To: misc@openbsd.org
Subject: Re: Trying to get squid with ssl bump working

...

I didn't include this line but I believe it's the default anyway

I also explicitly set "sslproxy_cert_sign signTrusted", I think that's
the default but I may be wrong

...


Thank you so much!

According to squid-cache.org there is no default for "sslproxy_cert_sign"

I added "sslproxy_cert_sign signTrusted" to squid.conf and the https proxy
sprang to life.

I also changed login.conf as you suggest.

Thanks again

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]