current status of bump-server-first + dynamic certs in 3.3??
Hey all, I want to use dynamic certificates (and/or mimic original ssl server certs) while running in a transparent mode. I know this is not possible in 3.2 because of the bump-client-first approach. Release roadmap for squid 3 says that bump-server-first is(will be) available in 3.3 which is under dev right now. Mimicking original ssl server cert is also available in 3.3. I want to know about the current status of these 2 features in 3.3. How far along are they in the testing and how much stable is it. Are the 2 features working correctly or to some extent? Can i start using them right now and get more confidence when the release matures. Any anticipated dates for stable 3.3? -- Regards, -Ahmed Talha Khan
dynamic SSL certificate generation not working in 3.3
Hey All, Alex I am trying to use the dynamic SSL certificate generation in 3.3(my sources are squid-3.HEAD-20120421-r12120). My squid setup is an interception proxy setup. So dynamic generation in interception is only possible after bump-server first available in 3.3. I have added the Root CA certificate(generated by myself) to the browser. The problem is that squid is still giving the same certificate to the client which causes warnings on the browser. By same i mean the certificate that i created my self which does not have the correct destination domain. Looking at the presented certificate in the browser, i can see the fields that i used to create the certificate. Effectively this means that dynamic certificate generation is not working. Also certificates are supposed to be cached in the ssl_db by the sslcrt_program. There are no certificates being generated in that path(/usr/local/squid-3.3/var/lib/ssl_db/certs). I can also see the 5 children of sslcrtd running. But seems they are not doing their job. My config is: https_port is the involved port since i am in interception mode. ssl_bump allow all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER ##DYnamic certificate portion sslcrtd_program /usr/local/squid-3.3/libexec/ssl_crtd -s /usr/local/squid-3.3/var/lib/ssl_db -M 4MB sslcrtd_children 5 http_port 192.168.8.40:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/home/talha/squid/www.sample.com.pem key=/home/talha/squid/www.sample.com.pem http_port 192.168.8.40:8080 https_port 192.168.8.40:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/home/talha/squid/www.sample.com.pem key=/home/talha/squid/www.sample.com.pem # I am getting these error in access.log for https sites (port 443 is being used as it is transparent-itnerception mode) 2012/04/26 13:12:59| clientNegotiateSSL: Error negotiating SSL connection on FD 14: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate (1/0) 2012/04/26 13:12:59| clientNegotiateSSL: Error negotiating SSL connection on FD 16: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate (1/0) 2012/04/26 13:12:59| clientNegotiateSSL: Error negotiating SSL connection on FD 25: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate (1/0) 2012/04/26 13:12:59| clientNegotiateSSL: Error negotiating SSL connection on FD 23: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate (1/0) Which certificate is bad? Any idea why dynamic generation is not working? Or why this bad certificate error? -- Regards, -Ahmed Talha Khan
Re: dynamic SSL certificate generation not working in 3.3
On Thu, Apr 26, 2012 at 8:51 PM, Alex Rousskov rouss...@measurement-factory.com wrote: On 04/26/2012 12:45 AM, Ahmed Talha Khan wrote: I am trying to use the dynamic SSL certificate generation in 3.3(my sources are squid-3.HEAD-20120421-r12120). My squid setup is an interception proxy setup. So dynamic generation in interception is only possible after bump-server first available in 3.3. Just to clarify: 1) There is no Squid v3.3 yet. You are using what we call Squid trunk or head. Yes sorry for the wrong terminology used. I meant head when i said 3.3. 2) Dynamic SSL certificate generation for intercepted traffic has not been committed to Squid trunk (or any other official Squid code base). How can i get the code-base with these changes? Can you provide me those sources. Stability is not a big issue for me right now. For more details, please see my squid-dev email titled Re: current status of bump-server-first + dynamic certs in 3.3? and dated 2012/04/23. Yes you mentioned that. I thought may be it was committed in the HEAD and being tested. Thank you, Alex. -- Regards, -Ahmed Talha Khan
Using squid as an SSL/TLS endpoint/unwrapper for other protocols
Hey All, I am interested in knowing how i can use squid as an SSL endpoint for protocols other then HTTPS. The scenario is that i want to use its SSL handling capability and use it for some other protocol which is going inside SSL. This requires hooks into the squid code-base. I assume that the design being modular, will offer ssl handling layer with interfaces connecting it too the main Data Processing engine for HTTP. I want to tap into that interface and use the ssl layer output, which should be plain-traffic. Since SSL output is not protocol specific, i would be able to use it for any protocol that i want. Can anbody give me hints where to start in the code and what to look for? Also is there anyother way? -- Regards, -Ahmed Talha Khan
Re: [squid-users] Squid performance profiling
bound because i can get much more throughput when I only run the generator with the server. In this case squid should be able to do more. Where is the bottleneck coming from? Your guesses would seem to be in the right direction. Your data should contain hints where to look closer. memcpy() and memory paging being so high are suspicious hint. I was looking for some deeper understanding of how and why this could happen. Why would squid not use all the CPU resource at its disposal. Could you give me pointers on that..I am willing to do extra testing and digging if it can help achieve better performance especially in the case of HTTPS If anyone is interested with very detailed benchmarks, then I can provide them. Yes please :-) Will do PS. could you CC the squid-dev mailing list as well with the details. The more developer eyes we can get on this data the better. Although please do test a current release first, we have significantly changed the ACL handling which was one bottleneck in Squid, and have altered the mempools use of memset() is several locations in the latest 3.HEAD code. Done Amos -- Regards, -Ahmed Talha Khan
Re: [squid-users] Squid performance profiling
On Thu, Jun 20, 2013 at 5:21 PM, Marcus Kool marcus.k...@urlfilterdb.com wrote: On 06/20/2013 06:51 AM, Amos Jeffries wrote: If anyone is interested with very detailed benchmarks, then I can provide them. Yes please :-) PS. could you CC the squid-dev mailing list as well with the details. The more developer eyes we can get on this data the better. Although please do test a current release first, we have significantly changed the ACL handling which was one bottleneck in Squid, and have altered the mempools use of memset() is several locations in the latest 3.HEAD code. Amos I understand that Amos is eager to get more tests and more results about the latest enhancements, but as Amos himself also stated earlier, please use a released version of Squid for testing since the test results for 3.3.x or 3.4.x are interesting for admins of Squid who can consider upgrading, but test results for 3.HEAD are not useful for them since they are not likely to consider an upgrade to 3.HEAD. Yes sure I can do that. And if you have spare resources, it would be interesting to perform the same test for 3.3.5 and 3.2.11 to see the differences between releases. And of course, when 3.4 comes out, perform the test again... The test that you performed is very nice. I am sure that many like this. But I also like to see the full squid.conf. Just for transparency and maybe to suggest an optimisation tweak. Thanks Marcus -- Regards, -Ahmed Talha Khan
Fwd: [squid-users] Squid performance profiling
-- Forwarded message -- From: Ahmed Talha Khan aun...@gmail.com Date: Fri, Jun 21, 2013 at 3:41 PM Subject: Re: [squid-users] Squid performance profiling To: Marcus Kool marcus.k...@urlfilterdb.com Cc: Amos Jeffries squ...@treenet.co.nz, squid-us...@squid-cache.org squid-us...@squid-cache.org I understand that Amos is eager to get more tests and more results about the latest enhancements, but as Amos himself also stated earlier, please use a released version of Squid for testing since the test results for 3.3.x or 3.4.x are interesting for admins of Squid who can consider upgrading, but test results for 3.HEAD are not useful for them since they are not likely to consider an upgrade to 3.HEAD. And if you have spare resources, it would be interesting to perform the same test for 3.3.5 and 3.2.11 to see the differences between releases. And of course, when 3.4 comes out, perform the test again... The test that you performed is very nice. I am sure that many like this. But I also like to see the full squid.conf. Just for transparency and maybe to suggest an optimisation tweak. Here is my squid conf: I am using squid as a normal forward proxy with SSL bump. You would be able to see that I have not tampered with the memory_pools or ssl_session much. *SQUID.CONF** cache_effective_user madmin always_direct allow all ssl_bump allow all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER # No need for caching cache deny all #Dont need logs for benchmarks access_log none # SMP scale workers 8 # Turn off ICAP for the benchmarks icap_enable off #Only for benchmarks http_access allow all # Dynamic certificate generation sslcrtd_program /usr/local/squid-3.3/libexec/ssl_crtd -s /usr/local/squid-3.3/var/lib/ssl_db -M 4MB sslcrtd_children 10 #PORTS http_port 10.174.198.149:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/home/madmin/squid/ca.pem key=/home/madmin/squid/ca.pem https_port 10.174.198.149:3129 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/home/madmin/squid/ca.pem key=/home/madmin/squid/ca.pem ** Thanks Marcus -- Regards, -Ahmed Talha Khan -- Regards, -Ahmed Talha Khan